Security vulnerabilities

Attached to Project: Security vulnerabilities
Opened by monty099 - 17.11.2025
Last edited by cbay - 30.03.2026

Description

There is a logical flaw in the domain transfer system within the AlwaysData platform. Creating a Mailing List and then creating a User with Administrator privileges within the domain before sending a transfer invitation causes the transfer invitation to remain pending even after it has been accepted and the domain has actually been transferred.

This flaw allows the attacker account (B) to retain an active transfer invitation that can be used later to take over the domain from any other account that received the domain (victim C).
Consequently, the attacker can regain full control of the domain even though they are no longer the owner, resulting in complete control over:

Email accounts

Mailing Lists

DNS settings

Users and permissions

Any data created by the victim

This represents a critical flaw in ownership control.

—

Steps to Reproduce

1. Setup (Account A)

1. Create a new Domain in your account A.

2. Within the domain:

Create a Mailing List.

Create a User and grant Administrator privileges.
(This step is the primary cause of the flaw.)

3. After that, send a domain transfer invitation to your second account B.

—

2. First Transfer (A → B)

4. From account B:

Accept the transfer invitation.

5. The domain is transferred to B normally,
but the original invitation remains pending in account B despite the transfer being accepted.

—

3. Second Transfer (B → C “Victim”)

6. From account B (which still holds the pending invitation):

Send a transfer invitation to the victim account C.

7. From the victim account C:

Accept the invitation.

8. The victim starts using the domain normally (emails, mailing lists, DNS settings…).

—

4. Final Takeover (from Account B)

9. Return to account B.

You will find that the old transfer invitation is still pending acceptance.

10. Accept the pending invitation.

11. The domain fully returns to account B with all victim data and content, without any notification or additional permission.

POC: https://admin.alwaysdata.com/support/90473/

—

Impact

Full domain takeover.

Access to all existing email accounts.

Control over victim’s email-related accounts and mailing lists.

Full unauthorized access.

Highly critical (Critical).

Proposed Classification:

Severity: Critical – P1

Vulnerability Type: Logic Flaw + Broken Access Control

—

Suggested Fixes

1. Automatically cancel any pending transfer invitations once the domain transfer is accepted.

2. Enforce a single active transfer state, preventing more than one pending invitation for the same domain at a time.