Bypass invite accept for victim
Medium
S
Slack
Submitted None
Team Summary
Official summary from Slack
Slack Administrators were able to add an arbitrary user, identified by email address, to their Workspace, without that user accepting the attacker's invitation. This bypassed an access control that requires the recipient of a Workspace invitation to accept that invitation before being added to the Workspace.
Actions:
Reported by
analyz3r
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$1500.00
Submitted
Weakness
Business Logic Errors