Security vulnerabilities

  • Status Closed
  • Assigned To No-one
  • Private
Attached to Project: Security vulnerabilities
Opened by monty099 - 09.04.2025
Last edited by xlefloch - 09.04.2025

FS#151 - Title: Logical Flaw in Account Transfer Allows Unexpected Loss of

Title: Logical Flaw in Account Transfer Allows Unexpected Loss of Site/Domain Ownership After Old Invitation is Accepted

Description:

The AlwaysData platform allows users to transfer ownership of assets such as sites and domains, either individually or by transferring the entire account to another user. The vulnerability occurs when an invitation to transfer a specific asset (e.g., a site) is sent to a user who delays accepting it. Later, the entire account — including the previously invited site/domain — is transferred to a different user.

The issue arises when the first user (who received the initial invitation) finally accepts it after the account has already been transferred. This results in the site or domain being unexpectedly and silently pulled from the new account owner and given to the first invited user — a behavior that is both unintended and out of the new owner’s control.

Steps to Reproduce:

1. User A owns an account that contains a site (e.g., testss.alwaysdata.net).

2. A sends an invitation to B to transfer the site ownership.

3. B does not accept the invitation immediately.

4. Later, A transfers the entire account (including the site and domain) to C.

5. C begins using the site in a production environment.

6. After some time, B accepts the old invitation for the site.

7. Result: The site is unexpectedly transferred from C to B, causing:

Service downtime if the site is in active use.

Loss of access for C.

Potential data leakage if the site contains sensitive content.

###I sent a proof of concept: https://admin.alwaysdata.com/support/86226/

Impact:

Loss of full control: User C, now the legitimate account owner, loses the site/domain without notice.

Privacy and confidentiality breach: If sensitive data exists on the site or domain.

Abuse potential: Malicious actors could deliberately delay accepting invites to hijack assets in the future.

Severity:

P2 - High Severity

Ease of Exploitation: No advanced techniques required.

Impact: High, as it affects ownership of critical infrastructure.

Unexpected Behavior: From the new owner’s perspective, the outcome is both surprising and disruptive.

Recommendations:

1. Invalidate pending invitations automatically upon account or asset transfer.

2. Redesign ownership logic to bind invitations to current ownership context.

3. Add verification layers to ensure old invitations can't be acted upon after transfer events.

Closed by  xlefloch
09.04.2025 09:20
Reason for closing:  Fixed
Admin

Hello,

The issue is valid and has been fixed.

Please open a ticket support to claim your reward.

Regards,

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing