Application vulnerabilities including pre-authentication account takeover and logic flaws can present serious security weaknesses that expose user data and provide potential backdoor access.
In this case, the tester (Grey) discovers that the application allows the creation of accounts using any email address without verification, allowing account takeovers.
Further investigation leads to the discovery of a logic flaw in the invitation feature, allowing malicious actors to block user access.
The tester also identifies an authorisation flaw that enables an account owner to delete other types of accounts but not their own.
This leads to the key finding: since there is no option to invite another owner account, Grey attempts to invite their own account as a manager and then elevate it to an owner account, creating a permanent backdoor for access to the victim’s business account.
This authorised but unintended access could allow complete control over the victim’s data and activities, representing a significant vulnerability.