.png)
1 month ago
20 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello Friends,
This is a short write-up of a peculiar bug that I found on a private bug bounty program.
It was an application with multiple roles in it. An Owner, Admin & two other roles with lower privileges. Owner & Admin could invite users to the organization.
They could create their own organization as well as join other organizations.
So, while testing I logged into two users on different browsers. One from Org A & other from Org B. I sent an invite from the Owner account of Org A to Owner account of Org B. Then I revoked the invite.
When I checked the other browser, the Org B user was logged out. 🧐
I was baffled to see this and tried to login to that account, but the application responded with an error message saying the username or password is invalid. 😕
Then I tried to reset the password, but the password reset link was not sent to the respective email.
At that time, I realized that the account may have been somehow deleted. To confirm this, I tried to create a new account with that email address & it worked. A completely new user was created, and all the old data was erased.
Bengali (Bangladesh) · 
English (United States) ·