Logic Flaw: Using Invitation Function to Block Other Accounts
2 min read
Summary
The blogger details an account blocking vulnerability they discovered in a service booking app that allows users to invite others to join a team via email.
While testing the invitation function, they discovered that the app does not verify if the invitee’s email is already registered.
This means an attacker can block a victim from creating an account by inviting them first, as the platform automatically reserves their email.
An invited user cannot delete their account or leave the business, nor can they sign up for the platform using the same email if they are a legitimate customer.
The blogger suggests that this could be leveraged to frustrate users into switching to a competitor platform, leading to reduced revenue for the target app.
They also note that the vulnerability is easy to exploit and can be carried out by sending a simple POST request to the invitation endpoint using the victim’s email address.
The blogger concludes by emphasizing that a bug’s impact can often be more far-reaching than it first appears.
They encourage readers to consider a different perspective when assessing the potential impact of vulnerabilities.
The blogger plans to release a subsequent post detailing the pre-authentication takeover vulnerability discussed earlier in the article.