- Status Closed
-
Assigned To
cbay - Private
Opened by dav3n - 14.05.2025
Last edited by cbay - 14.05.2025
FS#172 - Race Condition in Cloud Subscription Endpoint Allows Unlimited Free Storage
Summary:
Hello,
I have identified a critical race condition vulnerability on alwaysdata.com that allows any authenticated user to bypass account restrictions and provision unlimited 100MB free cloud instances.
This issue can be exploited using Burp Suite along with the Turbo Intruder extension, although other tools capable of concurrent requests may also be used.
Steps to Reproduce:
- Log into any valid user account on https://admin.alwaysdata.com.
- Make sure the account does not already own a 100MB free cloud instance.
- Start creating a new 100MB free cloud subscription via the interface.
- Intercept the request sent to the following endpoint:
POST /admin/account/add/ HTTP/1.1 Host: admin.alwaysdata.com
5 - Modify the name parameter by inserting %s, which Turbo Intruder will later replace using a wordlist.
6 - Configure Turbo Intruder to fire multiple concurrent requests to that endpoint using the modified payload:
csrfmiddlewaretoken=<csrf>&name=%s&password=<yourpass>&location=datacenter_3&product=1&period=1mo&submit=
7 - Launch the Turbo Intruder attack.
You’ll observe multiple responses with a similar length (~270), which indicates that several cloud instances were successfully created concurrently.
Check your subscription list: you'll notice that multiple 100MB free clouds have been added, bypassing the expected 1-instance restriction.
Proof of Concept (Video):
Impact:
This vulnerability allows any authenticated user to:
- Bypass subscription restrictions and claim multiple "free tier" services.
- Abuse storage resources by stacking unlimited 100MB instances.
- Impact the platform’s financial stability due to misuse of free offerings.
- Overload infrastructure, potentially degrading performance or availability for other users.
- Undermine alwaysdata’s business model, by rendering subscription limits ineffective.
In short, this vulnerability could be weaponized to consume massive amounts of storage at zero cost, with no rate limit or quota enforcement preventing abuse.
Recommendations: Implement server-side locking or atomic operations to prevent concurrent subscription creation.
Apply idempotency checks and enforce strict rate limiting.
Consider rejecting duplicate subscription requests at the application logic level, even under concurrent load.
Contact: If you need additional information, reproduction support, or testing help, feel free to reach out.
Best regards,
dav3n
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
That's true, but it's not a security issue. There are many other ways you can abuse resources, and they don't qualify as vulnerabilities.
Kind regards,
Cyril
Hello Cyril,
Thank you for your response.
While I understand that some forms of resource abuse may not always qualify as security vulnerabilities, I respectfully disagree in this case. This race condition leads to unauthorized privilege escalation by allowing users to bypass business logic constraints that are clearly in place — namely, the one-time limitation on free 100MB cloud instances.
This is not just about "resource abuse"; it is a violation of access control policies. The restriction exists precisely to enforce a quota on free resources. The fact that it's enforced only on the client or non-atomically on the backend makes it exploitable via concurrent requests, which is a classic race condition (CWE-362 / CWE-1236).
Why it’s a valid vulnerability:
Bypasses backend-enforced business logic
Allows resource usage beyond intended permissions
No rate limiting or locking mechanisms prevent it
Can be scripted and scaled, potentially allowing malicious users to create thousands of free instances at no cost
This leads to financial and infrastructural impact (denial of service, billing evasion, platform degradation)
This type of issue has been historically recognized as valid and impactful by many platforms (e.g. GitHub, Shopify, Google Cloud), and has resulted in bug bounty rewards because it exposes unintended service access.
I’d be happy to help clarify further or demonstrate a scaled impact if needed.
Best regards,
dav3n