Evading security logging when logging into DigitalOcean (Fixed)

Techiavellian on May 15, 2015

I noticed a while back that when I carelessly entered my login credentials to the form for registering a new user account on the front page of the DigitalOcean site, it would still log me in. Neato.

However, I was slightly less amused when I noticed that the login event didn’t show an IP address in my security history.

Security history page with IP address conspicuously missing

User.login event with IP address conspicuously missing

I reported this at the time the screenshot was taken several months ago. It appears they have recently fixed the issue.

Just a reminder that not all vulnerabilities are obvious, and you can’t find them all with BURP.

Leave a Reply

Your email address will not be published. Required fields are marked *