Security vulnerabilities

  • Status Closed
  • Assigned To
  • Private
Attached to Project: Security vulnerabilities
Opened by Aditya2003 - 30.01.2024
Last edited by cbay - 04.02.2024

FS#21 - Bug Bounty Report

A potential security vulnerability has been identified in the user invitation token generation process when integrated with a third-party service. This vulnerability could lead to the leakage of user invitation tokens, potentially exposing sensitive information and compromising the security of user accounts.

Vulnerability Type: Information Disclosure
Affected Component: User invitation token generation integrated with third-party service
Severity: High
During our security assessment, it was discovered that the user invitation token, which is generated as part of the user invitation process, is not adequately protected when interacting with a third-party service. This oversight allows unauthorized access to the token, leading to potential exposure of sensitive information.

Steps to Reproduce:
1.Login into the account.
2.Go to the invite user function and add the email which you want to invite.
3.A token is received to that email for joining the team.
4.Keep your proxy on and click on the invitation link.
5.Set the password and you have successfully joined the team.
6.Now go back to your burp suite and search for the invitation token which is received on the step3.
7.You will notice that the token got leaked into third parties also.

If exploited, this vulnerability could allow an attacker to gain unauthorized access to user accounts, potentially leading to data theft, unauthorized access to sensitive information, and other malicious activities.

Recommendations for Mitigation:

Token Encryption: Implement encryption mechanisms to protect user invitation tokens during transmission to and from the third-party service.
Secure Transmission: Ensure that communication channels between your system and the third-party service are secure, using protocols such as HTTPS.
Token Expiry: Implement token expiration mechanisms to limit the window of opportunity for exploitation.
Audit Access Logs: Regularly audit access logs for any suspicious activities or unauthorized access.

Proof of Concept (PoC):
Include relevant information or details demonstrating the vulnerability, ensuring that no sensitive information is disclosed in the report.

I appreciate your prompt attention to this matter and look forward to working collaboratively to address and resolve this security vulnerability.

Thank you.


Closed by  cbay
04.02.2024 08:30
Reason for closing:  Invalid
cbay commented on 30.01.2024 16:30


I'm confused as we don't have an "invite" feature, neither do we have "teams". What are you referring to? Please give precise URLs.

Kind regards,

cbay commented on 31.01.2024 08:26

Could you please explain the issue in details? I don't see anything wrong in your video, and your report seems copy/pasted from a report for another company.

Sorry for that I attached some wrong information also I forgot to recheck the report


Available keyboard shortcuts


Task Details

Task Editing