- Status Closed
- Assigned To No-one
- Private
Opened by monty099 - 09.04.2025
Last edited by xlefloch - 09.04.2025
FS#151 - Title: Logical Flaw in Account Transfer Allows Unexpected Loss of
Title: Logical Flaw in Account Transfer Allows Unexpected Loss of Site/Domain Ownership After Old Invitation is Accepted
—
Description:
The AlwaysData platform allows users to transfer ownership of assets such as sites and domains, either individually or by transferring the entire account to another user. The vulnerability occurs when an invitation to transfer a specific asset (e.g., a site) is sent to a user who delays accepting it. Later, the entire account — including the previously invited site/domain — is transferred to a different user.
The issue arises when the first user (who received the initial invitation) finally accepts it after the account has already been transferred. This results in the site or domain being unexpectedly and silently pulled from the new account owner and given to the first invited user — a behavior that is both unintended and out of the new owner’s control.
—
Steps to Reproduce:
1. User A owns an account that contains a site (e.g., testss.alwaysdata.net).
2. A sends an invitation to B to transfer the site ownership.
3. B does not accept the invitation immediately.
4. Later, A transfers the entire account (including the site and domain) to C.
5. C begins using the site in a production environment.
6. After some time, B accepts the old invitation for the site.
7. Result: The site is unexpectedly transferred from C to B, causing:
Service downtime if the site is in active use.
Loss of access for C.
Potential data leakage if the site contains sensitive content.
###I sent a proof of concept: https://admin.alwaysdata.com/support/86226/
—
Impact:
Loss of full control: User C, now the legitimate account owner, loses the site/domain without notice.
Privacy and confidentiality breach: If sensitive data exists on the site or domain.
Abuse potential: Malicious actors could deliberately delay accepting invites to hijack assets in the future.
—
Severity:
P2 - High Severity
Ease of Exploitation: No advanced techniques required.
Impact: High, as it affects ownership of critical infrastructure.
Unexpected Behavior: From the new owner’s perspective, the outcome is both surprising and disruptive.
—
Recommendations:
1. Invalidate pending invitations automatically upon account or asset transfer.
2. Redesign ownership logic to bind invitations to current ownership context.
3. Add verification layers to ensure old invitations can't be acted upon after transfer events.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
The issue is valid and has been fixed.
Please open a ticket support to claim your reward.
Regards,