FS#235 : Race Condition leads to undeletable subscription which are accepted by other user

Status Closed
Assigned To

xlefloch
Private

Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 29.10.2025
Last edited by xlefloch - 31.10.2025

FS#235 - Race Condition leads to undeletable subscription which are accepted by other user

Hello Team,

Summary:
There exists a Race Condition in which the subscription are added multiple times which will make them unremovable. As you know, same subscription is not added in admin.alwaysdata.com, but through race condition same subscription can be added multiple time and admin can't remove that in which another user are created them.

Steps To Reproduce:

1. Go to https://admin.alwaysdata.com/transfer/add/?type=account.
2. Fill the form which have new owner(for e.g: example@gmail.com) and click on validate it.
3. Go to admin.alwaysdata.com and login your account example@gmail.com. 4. Then go to https://admin.alwaysdata.com/transfer/ and accept the transfer request and intercept the request on Burpsuite.

5.Make 10 to 15 request and group them to send it from repeater.
6. You can see that any subscription are added and if want to delete them you can't.

Impact
Irremovable/permanent subscription. Even the admin cannot remove that subscription in which another user created it in that account.

Thank You,

Waleed Anwar

img 1.PNG (50.5 KiB)

Closed by xlefloch
31.10.2025 09:57
Reason for closing: Fixed

Comments (7)
Related Tasks (0/0)

xlefloch commented on 30.10.2025 10:28

Hello,

A patch has been applied, do you confirm that this bug no longer appears?

Regards,

waloodi_109 commented on 30.10.2025 10:33

I confirmed it is fixed

xlefloch commented on 31.10.2025 09:57

Regarding our bug bounty program, this report does not fall within its scope, as the reported bug does not pose any security risks.

waloodi_109 commented on 31.10.2025 10:05

Is it eligible for bounty?

xlefloch commented on 31.10.2025 10:18

No, sorry. No reward is planned for bug reports that do not pose any security risk.

waloodi_109 commented on 31.10.2025 10:40

But, if the subscription was added multiple times, user can't remove that,that's a issue which is resolved.

waloodi_109 commented on 31.10.2025 10:42

User can't add same subscription with multiple times

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task