We've identitied invitation functionality in the web app introduces a lot security concerns. This project aims at systematically investigating common vulnerabilties frequently happened and their unique impacts in the invitation functionality.
Why invitation functionality causes so many security vulnerabilities?
The app backend needs to manage the invitation token cross a long time (at least days), so we've seen token reuse frequently happens. And they wanna attract more users into the app, thus sometimes, they simply give invited users' privilege to bypass the email verification and even unverified email users can get invitation banner.
It is not easy to balance the user experience and security.
https://hackerone.com/reports/1040047
Wordpress had invitation functionality vulnerable to email verification bypass in the past. Any user who enters in the account registration process through an invitation link is able to claim any email address that does not belong to them without any verification.
https://hackerone.com/reports/2586433 The invitation code intended for email A can be used to register for email B.
The invitation functionality in this app sends the invited user with a link and token that can be used to reset any user's password.
Old enterprise version of github had invitation functionality vulnerable to account takeover. When an organization invite a user through email address A, the github account which is configured with email address A will be able to accept the invitation by viewing the organization's page. However, the invitation also works for accounts with unverified email address A. Thus, attackers can claim email address A into their account in a unverified state to sneak into the organization.
Similar to the last one. As long as you can register on the app with an unverified email address and organization invitation still poped up for unverified email. You can potentially takeover any invited email address to that organization by registering one, thus sneaking into the organization.
Also, sometimes the invited user will automatically join the team as shown in the last two links in this section.
https://x.com/Jayesh25_/status/1726189011624989125 https://hackerone.com/reports/49566 https://x.com/Jayesh25_/status/1726189011624989125#:~:text=Nice%20one,the%20organisation%20anonymously.
https://hackerone.com/reports/835005
If user A is invited into the organization, A will be able to abuse the invitation API to invite user B to the organization with adminstrator's role.
It's like normal user can invite anyone into the organization with admin role.
https://hackerone.com/reports/331691 https://hackerone.com/reports/46429 https://medium.com/@kshunya/invitation-hijacking-4d6467f418cc https://osintteam.blog/invitation-link-hijacking-on-a-bug-bounty-program-50d3b92d5532
Invitation code of some sensitive organization can be reused, which introduces security risks.
https://hackerone.com/reports/56182
- User can manipulate invitation email content
- Invitation is still being sent to existing users
For some app, once invitation is initiated, the account will be created in the backend. The invited email owner will not able to register account with the invited email due to the existence. The only way is to click the invitation link.