Multiple user creation with the same email Id via existing verification bypass in heroiclabs/nakama

Valid

Reported on

Jun 14th 2022


  1. Hello team, while i was checking on the nakama dashboard as an Administrator i noticed that we can bypass the existing verification and create multiple user with same email id

Steps to reproduce:

  1. Open the dashboard as an adminuser and go to the user management form http://site.com/#/users
  2. Create a user and capture the request with burpsuite and send that request to repeater
  3. when we try to create a user with existing email id, the server will throw error like:
{"code":9,"message":"Username or Email already exists","details":[]}

  1. So we can bypass this validation and create new user with same email id by adding space in the email parameter like:
{"username":"user1","email":"test@test.com","password":"Password@123","role":3,"newsletter_subscription":false}
  1. In this case we have created user1 with email id test@test.com and we are able to create user2 with the same email id by adding space in the email parameter like thisūüĎá:
{"username":"user2","email":" test@test.com","password":"Password@123","role":3,"newsletter_subscription":false}
  1. For another user with the same EmailID need to add an extra space like this, for each time add extra spaces:

Impact

  1. Due to this existing security mechanism bypass the owner can create multiple users via the same email id, and it can lead to business logic risk
  2. If an attacker has access to the admin user then the attacker can create users with the same email id
We are processing your report and will contact the heroiclabs/nakama team within 24 hours. 2 months ago
drxadz modified the report
2 months ago
We have contacted a member of the heroiclabs/nakama team and are waiting to hear back 2 months ago
A heroiclabs/nakama maintainer has acknowledged this report 2 months ago
Andrei Mihu validated this vulnerability a month ago
drxadz has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Andrei Mihu confirmed that a fix has been merged on 2192e9 a month ago
The fix bounty has been dropped
drxadz
a month ago

Researcher


@admin @maintainer can we go for a CVE? what's your opinion??

Jamie Slome
a month ago

Admin


@drxadz - it is up to the maintainer if they want to assign and publish a CVE for this report. Seeing as they did not request a CVE (which they can do through the UI), I assume they do not want one for this report.

to join this conversation