Introduction
Hello I'm Moataz (bug bounty hunter) and I will take you for a ride let's begin.
In this write-up, I'll walk through a vulnerability I discovered that allows unauthorized account deletion by simply manipulating the HTTP method used in a request.
Although the impact was ultimately considered limited, the issue highlights an important lesson in API security: never trust the client, and always enforce server-side controls.
Vulnerability Overview
The application exposes the following endpoint:
/api/users/{user_id}According to the platform's official workflow, account deletion should:
- Be performed only through support requests
- Be restricted to account owners
- Require manual approval
However, this logic was not enforced at the API level.
By changing the HTTP method from a standard request (e.g., GET or PUT) to:
DELETEIt becomes possible to delete an account directly — without going through the intended process.
Steps to Reproduce
- Authenticate as a valid user
- Intercept a request to:
/api/users/{user_id}- Modify the HTTP method to:
DELETE- Send the request
Result:
- The account is deleted immediately
- No support approval required
- No additional confirmation
- No re-authentication
- No ownership verification beyond session authentication
Report Outcome
The vulnerability was reported through a coordinated disclosure program.
Response Summary:
- The issue was successfully reproduced
- It was classified as Medium severity (CVSS 4.3)
- After I submitted the report, it was marked as duplicate
- Impact considered limited since the attacker can only delete their own account
The End:
Thanks for your time — I hope you found this write-up insightful.