Business logic vulnerability found in Invite feature

[kushagrasarathe]

Describe the bug

Greetings team, I found a business logic error in the invite members feature for an organization.

A brief description about business logic vulnerabilities: Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to elicit unintended behavior. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal. These flaws are generally the result of failing to anticipate unusual application states that may occur and, consequently, failing to handle them safely.

When inviting a new user to organization, a mail with invite link is sent to the invited user, but if that link is opened in a browser where already another account has been logged into Spheron, then that account is added to the organization, even though the invite was not sent on their mail.

Criticality

High

To Reproduce

Steps to reproduce the behavior:

1. Create two accounts, and activate PRO plan in both the accounts.
2. Login to both accounts in separate browsers or devices.
3. Now from account1 invite a user with totally different email from both of these accounts. Let's call it third user.
4. Now open the link received on third user's mail in the second browser where account2 is already logged in.
5. You will be asked to accept or decline the invite, accept it and you will be added to account1's organization.
6. The invite was meant to be only for third user, but the seconduser gets added to organization.

Expected behavior

When a user is invited to join an organization, the invite sent to mail should only be meant for that same email. If it is used when already logged in to another account, a warning should be given that this account is not authorized to join the organization.

Desktop:

• OS: macOS Monterey
• Browser: Firefox & Chromium
• Version: Latest versions for both browser as of now
• Location:

Your Details

• Web3 Name: Kushagra Sarathe
• Wallet Address (or ENS):
• Twitter handle: kushagrasarathe

[rekpero]

Yes, this vulnerability makes sense, didn't know that we were not validating the email before accepting members to the organization. Thanks for reporting @kushagrasarathe