Not a Vuln: Race Condition Allows Creation of Multiple Organizations with the Same Name

## Summary: A race condition vulnerability exists in the organization creation logic that allows an attacker to create multiple organizations with the same name, violating the expected uniqueness constraint enforced by the UI. This could lead to confusion, broken business logic, or potential misuse depending on how organization identity is handled across the platform. ## Steps to Reproduce: 1. Login to your account and navigate to the organization creation page. 2 Choose an organization name, e.g., ctrl2. and create the organization while intercepting the request on burp. 3. Observe that the organization is created successfully. 4. Now try creating another organization with the same name as the first and observe that you receive an error `You already have an organization with this name.` As shown below: {F4557889} 5. Now locate the organization creation on your burpsuite traffic as shown below: ``` POST /settings/orgs/new HTTP/2 Host: wakatime.com Cookie: csrftoken=c25cc215f903abf846b48d367d927846cef87dfdf937fb24a5ea5608a5a4ac55; session=.eJxNkctqKzEMhvd9ijLrGuSrrHmOrroZZFk-HZpkwJOBQsm710nOgbOz9V_0Gf-8vL5OS-u6f07ztR_69hisdZqnCjUn66pn5KrimzI3jR48EykkiN5yRhcgZCVfmvOSSk2cbXUh0AjUVoWa4l0uUMhjULKtKqgFbBAUke9-wcAgzmvKHAhtZZLpyXLs2p9AFEodSM5ES2TGAmeyZjFlBFwEaLHGZ0j23q7bl15GSlwUcTY2GuCl5ZBKyNUnrORw3ERbxgHaBl0rLnBUjgkyRw4s8W-jfjccXiJKhjEWE0oGQz4VU1PhEGyK3sM0_wz3nWBsduCiATQW3m2aAecIH4-2oV-HztM43_7VP55o2SZUm4xTO3ZgzCZTyQbFl-RQAoB7Aq37Itulrf286JnX0yKnbdf63y9uff2zdG3au_Zpvhyn02N-XM_Lvh1ddB-4t5fbL91QjFs.aHGhqQ.8Gxi0UY4hovSw40rLf4uXSR0gyg; ?????????; github_csrf_token=c2cc079fb1ba0e7be7439ab9d84d11aa; remember_token=94bdd862-5199-4932-8e8c-b9712500f5d5|45aaa269d747d5c764973ad9397758e1e36e8f308fdb6cff4f934e85dad66ba73a0914e77fe2164d926b37b59e6ecc475669ab40326b91bbd5a0abfa6fe34976 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://wakatime.com/settings/orgs/new Content-Type: application/x-www-form-urlencoded Content-Length: 85 Origin: https://wakatime.com Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Priority: u=0, i Te: trailers csrftoken=c25cc215f903abf846b48d367d927846cef87dfdf937fb24a5ea5608a5a4ac55&name=ctrl2 ``` 6. Send the request to your burp repeater and modify the "name" param to whatever you'd like to call your multiple organizations and create a group for the requests, duplicate the requests to more than 10 similar requests as shown below(group 4 tab): {F4557892} 7. Now send these group of requests in parallel (single-packet attack) so that the requests are sent concurrently at the same time as shown below: {F4557894} 8. Allow the requests to complete and follow the redirects to all the requests. Go back to your browser and observe that alot of organizations were created with the same name by exploiting this race condition as shown below (I created more than 30 organizations with the same name): {F4557896} Confirm that you also receive alot of emails for the organization' s creation as shown below: {F4557900} >Despite the UI displaying the error You already have an organization with this name, multiple organizations with the same name will be created. ## Impact - Data Integrity Violation: Duplicate organization names break the platform’s data assumptions and violate expected constraints. - Authorization and Business Logic Confusion: Many systems rely on unique org names for scoping permissions, auditing, or billing. Multiple entries may lead to incorrect access grants or misattribution. - Potential Exploitation: An attacker could abuse this flaw to: >Confuse collaborators or support teams. Bypass limitations on number of organizations. Cause issues in logging, reporting, or billing mechanisms. ## Recommendations: - Implement proper locking or transactional checks server-side to enforce unique org name constraints at the database level. - Ensure backend validations are race-safe and do not rely solely on frontend or pre-check logic. - Consider using UNIQUE constraints in the database schema for org names.