Identity Management / User Account Is Not Being Deleted after "Delete Account"

Description

User account is not being deleted after "Delete Account" is an IT vulnerability in the category of Identity Management that applies to Web and API. It is identified in the Common Weakness Enumeration (CWE) directory as CWE-530: Exposure of Sensitive Information During Deletion. This vulnerability is often caused when a user account is deleted from a system, but the account data remains in the system, meaning that the user’s data is still accessible. This can lead to further security issues, such as account takeover and data theft.

Risk

This vulnerability can lead to significant security risks, exposing sensitive user data and allowing access to accounts that have supposedly been deleted. The OWASP Testing Guide states that this vulnerability is rated as a medium risk, as it can lead to data loss and identity theft, but does not necessarily provide direct access to the system.

Solution

The solution to this problem is to ensure that the account is completely removed from the system when the user has selected to delete the account. This can be done by running a script which checks the system and deletes any lingering user data associated with the account, such as passwords and emails. Additionally, if the system is connected to a database, the user should be removed from the database and all associated data deleted.