Account Takeover via Invite Functionality Exploit
An attacker can exploit the invite functionality to obtain valid JWT tokens, allowing them to take over accounts of newly registered users. This affects the latest commit on the main branch (a761d83) and has not yet been patched.
Threat Overview
The vulnerability arises from the invite functionality, which issues a one-time use token to invited users. An attacker can invite a target email, obtain the token, and then retract the invite. When the target later registers independently, the attacker can use the previously obtained token to reset the target's password and take over their account. The core issue is that the one-time token is not invalidated when the invite is retracted, and the reset-password endpoint does not verify that the email in the token matches the email in the authorization header.
Attack Scenario
An attacker invites a non-registered email (e.g., target@a.com) to their organization and obtains a one-time use token. They then retract the invite. When the target registers independently, the attacker uses the one-time token to reset the target's password, thereby gaining access to the target's account.
Who is affected
Any users who are invited to the platform but have not yet registered, as well as any new users who register independently after an attacker has pre-created and stored tokens for their email addresses.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.