- Status Closed
-
Assigned To
cbay - Private
Opened by AKASH - 16.04.2025
Last edited by cbay - 16.04.2025
FS#155 - Privilege Escalation via Unvalidated Account Invitation Deletion
Vulnerability Summary
Title: Privilege Escalation via Unvalidated Invitation Deletion Leading to Unrestricted Account Creation
Severity: High (Potential Impact: Unauthorized Account Proliferation, Bypass of Email Verification)
Vulnerability Type: Logic Flaw / Privilege Escalation
Affected Functionality: User Invitation & Account Registration System
Detailed Vulnerability Description
1. Vulnerability Discovery
While testing the privilege escalation mechanisms on admin.alwaysdata.com, I investigated the account invitation system. The process involves:
- Creating an account using my primary email: akashghoshakg19@gmail.com
- Inviting a secondary email: akashghoshakg19+6@gmail.com (Gmail alias)
2. Unexpected Behavior Observed
After sending the invitation, I deleted the invitation before the secondary email accepted it. However, the invitation link remained functional, allowing the secondary account (akashghoshakg19+6@gmail.com) to successfully register.
How can i sure that
Well, when i deleted my secondary account (akashghoshakg19+6@gmail.com),it sends an confirmation email to my main accout (akashghoshakg19@gmail.com) which shows in the attached video POC.
3. Impact Analysis
- Bypass of Email Verification: The system does not properly invalidate deleted invitations, allowing unauthorized account creation.
- Unrestricted Account Proliferation: An attacker can exploit this flaw to create multiple accounts without proper validation checks.
- Potential Abuse Scenarios:
- Spamming the platform with fake accounts
- Bypassing rate limits or sign-up restrictions
- Conducting fraudulent activities under multiple identities
### 4. Proof of Concept (PoC)
Steps to Reproduce:
1. Register an account with: `akashghoshakg19@gmail.com`
2. Invite a secondary email: `akashghoshakg19+6@gmail.com`
3. Delete the invitation before the secondary user accepts it.
4. Observe that the invitation link still works, allowing `akashghoshakg19+6@gmail.com` to register.
5. Check the primary email (`akashghoshakg19@gmail.com`) – it receives a confirmation, but the system fails to enforce proper validation.
Evidence:
The video POC link: https://drive.google.com/file/d/1VmByRPCRfixrQvDWKmMnRO9KAJjT2GzB/view?usp=sharing
Security Impact
- Privilege Escalation Risk: Attackers can create multiple accounts without proper verification.
- Account Takeover Potential: If combined with other flaws, this could lead to unauthorized access.
- System Abuse: Malicious users can exploit this to evade detection and launch attacks.
Recommendations for Fix
1. Immediate Invalidation of Deleted Invitations:
- Ensure that once an invitation is deleted, the associated link is immediately invalidated.
2. Strict Session & Token Validation:
- Implement server-side checks to verify invitation status before allowing registration.
3. Rate Limiting & Monitoring:
- Enforce stricter rate limits on account creation to prevent mass exploitation.
4. Email Verification Enforcement:
- Require fresh verification for all invited accounts, regardless of invitation status.
Conclusion
This vulnerability allows bypassing critical security checks in the account registration process, leading to privilege escalation and potential system abuse. Immediate remediation is recommended to prevent exploitation.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
My main point is Without the validation we can create mass acount also fake account by this procedure
Hello,
I don't see any vulnerability here. Yes, you can create many accounts.
Kind regards,
Cyril
Hello cbay, when we create accounts we have to go through validation after submitting our crendentials. but here no validation needed. this is one point .and anyone can create huge accounts using this. it is really an security issue. validation is really needed.and another important thing is that if i cancel or delete the invitation from add user the link should be invaild. kindly observe this behavior. it is accepted wildly in hackerone also .
please reply, i can give you supporting materials for my observation
kindly talk with other security researcher. Because when i sign up i have to go through validation using email confirmation . but in my scenario i can violate this issue.
Not when you're vouched (i.e. invited) by another client.
But I can still do whatever I want. I can invite many users —
Another point of about privilege escalation :
Didn’t you consider that the invite link might become invalid if we remove the user?
This directly relates to privilege escalation
Why would we do that? If you've invited someone to alwaysdata, they are still invited even if you left.
this is not an intended behavior brother. I am a security researcher and it a really a concerning bug.
Why would we do that? If you've invited someone to alwaysdata, they are still invited even if you left.
Because then can do everything when we create an account as a new user. they can invite members. so here validation must required? dont you think is it important as security resercher view? if not i have nothing to say
Do you need reports or supporting materials ?
Why would we do that? If you've invited someone to alwaysdata, they are still invited even if you left.
and one thing , i did not leave i remove them from account. kindly recheck
i wanna listen last words from you? did you consider it as a valid bug or not?
No we don't.