Behind Race Condition Bugs
Hello everyone! I’m Omar Mohamed, also known as 0xnanashi.
In this post, I’ll walk you through a sneaky Race Condition vulnerability I discovered in a private program on the HackerOne platform.
Summary
The Program that I have worked on have a functionality allows me adding 1 Collaborator and of course collaborator can not invite another one.
I was able to:
- Add multiple collaborators (bypassing the 1-collaborator limit)
- Remain stealthy (owner only sees “pending” invite)
- Become semi-undeletable (requires dozens of refresh + revoke attempts)
Attack Workflow
I created a team and invited a collaborator. I intercepted the invite request and tested it using a collaborator cookies.
So the problem here that is the limit on the team is one and not about that I don’t have access, but the limitation of number of collaborator is the problem.
I thought, why not try a race condition? By leaving the team and, at the same time, sending multiple collaborator invitations (including inviting myself multiple times), I might bypass the limit. This could make it so the owner can’t remove me.
I captured both the “leave team” and “add collaborator” requests, grouped and duplicated them, then sent them in parallel.
I tried this, and it worked without any issues. From the owner’s view, the invitation is still marked as “pending,” but I was able to access everything stealthily.
“I reported that bug and got a bounty for it.”
and also you can follow me on LinkedIn :