In the membership invitation system for Joystream, inviting members are free to choose the root_account and controller_account for the invitee. Setting a root_account that is controlled by the malicious inviting member could result in an account takeover for the new member at a later point in time. To mitigate this issue, we suggest that Joystream raises user awareness of the security implications of a compromised root_account during membership invitations.
Issue details
In the membership pallet when inviting an account, the inviting member can choose the root_account and the controller_account freely for the new member. This could raise the following attack scenario: An attacker could use this to invite accounts that want membership for free/way cheaper than the official membership price with the condition of setting a root_account that belongs to the attacker. Users that are unaware of security implications of this (e.g. missing guidelines/warnings for membership registration from Joystream) would be incentivized to accept an offer like this to gain membership. Since the root_account will be controlled by the attacker, they can first change the controller_account to an account they control and then do the following:
Send/transfer invites to other accounts
If the victim has a role in a working group, with the controller account an attacker can change the role account to one that they control. With that they could leave the working group role or set the reward account to theirs.
Risk
Compromising a member's root_account would result in a membership account takeover, since the attacker possessing the root_account will be able to change the controller_account to one that they control.
Mitigation
We suggest to provide guidelines/warnings to Joystream users regarding the dangers of a compromised root_account during membership invitations.
Summary
In the membership invitation system for Joystream, inviting members are free to choose the
root_account
andcontroller_account
for the invitee. Setting aroot_account
that is controlled by the malicious inviting member could result in an account takeover for the new member at a later point in time. To mitigate this issue, we suggest that Joystream raises user awareness of the security implications of a compromisedroot_account
during membership invitations.Issue details
In the membership pallet when inviting an account, the inviting member can choose the
root_account
and thecontroller_account
freely for the new member. This could raise the following attack scenario: An attacker could use this to invite accounts that want membership for free/way cheaper than the official membership price with the condition of setting aroot_account
that belongs to the attacker. Users that are unaware of security implications of this (e.g. missing guidelines/warnings for membership registration from Joystream) would be incentivized to accept an offer like this to gain membership. Since theroot_account
will be controlled by the attacker, they can first change thecontroller_account
to an account they control and then do the following:Risk
Compromising a member's
root_account
would result in a membership account takeover, since the attacker possessing theroot_account
will be able to change thecontroller_account
to one that they control.Mitigation
We suggest to provide guidelines/warnings to Joystream users regarding the dangers of a compromised
root_account
during membership invitations.