Business logic error: Not able to access newly created admin account with the username admin with the password in heroiclabs/nakama

Valid

Reported on

Jul 9th 2022

Hello team, recently I found that I'm able to create dual admin via the same username, by creating a dual admin account we maybe not be able login the newly created admin user-named account.
For example, the default username and password of nakama dashboard will be admin & password
After login into default admin account, we have created another admin account using the following credentials:

username: admin
email: admin@nakama.com
password: Passwd@123
role: administrator

account creation POC 1

account creation poc 2

Now when we tries to login with newly created account via username & password, we are not able to login the creds, the server is trowing error like: Invalid credentials.
To login with the newly created account, we need to use Email & passoword combo instead of username and password, the username &password combo will not work.

POC Screenrecord video:

https://drive.google.com/file/d/1y401_ppeIzh7RBm2ZRGhgNxD-UwBrYk9/view?usp=sharing

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. a year ago

We have contacted a member of the heroiclabs/nakama team and are waiting to hear back a year ago

We have sent a follow up to the heroiclabs/nakama team. We will try again in 7 days. a year ago

A heroiclabs/nakama maintainer has acknowledged this report a year ago

Andrei Mihu validated this vulnerability a year ago

drxadz has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Andrei Mihu marked this as fixed in 3.13.0 with commit fcd007 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

commented 10 months ago

Researcher

@maintainer can you please assign Cve for this report

to join this conversation