Double Race Condition : Breaking Rules
Hey amazing hackers!
I’m Mohamed Sayed (@sayedv2)
Today, I want to share an exciting discovery that allowed me to bypass plan restrictions and add members to my team without any limitations. This story involves a race condition that I uncovered while testing the invite members functionality on a public bug bounty program.
What is a Race Condition?
A race condition is a type of concurrency bug that occurs when multiple threads or processes access shared data and try to change it at the same time. It can lead to unpredictable behavior and is often difficult to reproduce and diagnose. Race conditions are a common issue in multi-threaded and distributed systems.
The Hunt Begins
After spending some time exploring the platform, I decided to focus on the invite members functionality. The program had a restriction: after inviting one user, you were disallowed from inviting any more users unless you subscribed to the $175 plan. This naturally piqued my interest, and I began to think about potential ways to bypass this restriction.
Race Condition Discovery
The first thing that came to my mind was to test for a race condition while inviting users. I intercepted the invite request using Burp Suite and sent it to the repeater. By duplicating the request (Ctrl + R) and changing the username or email for different users, I tried to add multiple users simultaneously through a race condition. I grouped these requests and sent them as parallel requests.
To my delight, when I returned to the website, I saw that the invitations had been sent to the users successfully. However, my happiness was short-lived. Upon acceptance of the invite by one user, all other invitations became invalid, and only one user could join the team
Persistence Pays Off
But I wasn’t ready to give up. I wondered if I could exploit another race condition during the acceptance of the invite. I sent the invitations again using the same race condition technique and intercepted the accept invitation requests. I grouped these requests and sent them in parallel.
Navigating back to the website, I was pleasantly surprised to see that all the users had successfully joined the team. I had bypassed the plan restrictions!
So this bug resulted from chaining two race conditions together.
Lessons Learned
This discovery highlights the importance of thorough testing and thinking outside the box. By merging double race conditions, I was able to bypass a significant restriction on the platform.
Follow me on:
