Business logic error: Not able to access newly created admin account with the username admin with the password in heroiclabs/nakama

Valid

Reported on

Jul 9th 2022


  1. Hello team, recently I found that I'm able to create dual admin via the same username, by creating a dual admin account we maybe not be able login the newly created admin user-named account.
  2. For example, the default username and password of nakama dashboard will be admin & password
  3. After login into default admin account, we have created another admin account using the following credentials:
username: admin
email: admin@nakama.com
password: Passwd@123
role: administrator

account creation POC 1

account creation poc 2

  1. Now when we tries to login with newly created account via username & password, we are not able to login the creds, the server is trowing error like: Invalid credentials.
  2. To login with the newly created account, we need to use Email & passoword combo instead of username and password, the username &password combo will not work.

POC Screenrecord video:

https://drive.google.com/file/d/1y401_ppeIzh7RBm2ZRGhgNxD-UwBrYk9/view?usp=sharing

Impact

  1. business logic
  2. The newly created admin username account can't login with username and password
We are processing your report and will contact the heroiclabs/nakama team within 24 hours. a month ago
We have contacted a member of the heroiclabs/nakama team and are waiting to hear back a month ago
We have sent a follow up to the heroiclabs/nakama team. We will try again in 7 days. a month ago
heroiclabs/nakama maintainer has acknowledged this report a month ago
Andrei Mihu validated this vulnerability 15 days ago
drxadz has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Andrei Mihu confirmed that a fix has been merged on fcd007 15 days ago
The fix bounty has been dropped
to join this conversation