Breaking Boundaries: Discovering Session Invalidation Failures in User Roles

Hey everyone, it’s Hawkeye666. This is my first article, and today I’ll be telling you how I found a bug named “Session Invalidation Failure on Role Change.”

Session Invalidation Failure on Role Change means that when a user is downgraded from an admin to a normal user, they can still perform admin actions. On the dashboard, they appear as a normal user, but they can still take actions like adding or removing team members. This bug makes it difficult to detect unauthorized access, posing a significant security risk.

I discovered this bug while testing the user role management features of Target.com. While testing, I assigned an admin role to a normal user account and then downgraded that account back to a normal user. To verify the behavior, I attempted to create a request that only an admin could perform — specifically, deleting a user.

I tried to remove a third account using the downgraded account. To my surprise, I found that the third account was successfully deleted, even though the account I used was no longer an admin. This inconsistency indicated a vulnerability in session management, confirming the existence of the “Session Invalidation Failure on Role Change.”

This bug has significant implications for the security of Target.com. Because the affected user can perform admin actions even after being downgraded, it creates a risk of unauthorized access to sensitive functions. An attacker could exploit this vulnerability to manipulate team settings, add or remove users, and potentially compromise the integrity of the system.

Due to the nature of this vulnerability, it was classified as a medium impact issue. This is because it was essential for an admin to assign the admin role to a normal user at least once before downgrading.

I was rewarded for my findings with a 220-euro bounty, along with an additional 200-euro bonus for the critical nature of the vulnerability.

As this is my first article, I apologize for any mistakes or oversights. I appreciate your understanding, and I welcome any feedback or suggestions you may have.