We've identitied invitation functionality in the web app introduces a lot security concerns. This project aims at systematically investigating common vulnerabilties frequently happened and their unique impacts in the invitation functionality.
Why invitation functionality causes so many security vulnerabilities?
The app backend needs to manage the invitation token cross a long time (at least days), so we've seen token reuse frequently happens. And they wanna attract more users into the app, thus sometimes, they simply give invited users' privilege to bypass the email verification and even unverified email users can get invitation banner.