June 8, 2026
How i found race conditions leading to premium subscribtion bypass via concurrent user addition
Hello raccoonians,
Raccoon
1 min read
Let's get into the topic directly. The was a program that has an organization activity, so you can create your organization and add members, manage them …. etc. There was two plans: Free one and premium plan (paid plan).
While exploring functions i found a function the enables me to invite users by their email. I found i could only invite 5 users for free plan and i was in the free plan.
There was only two members in organization ( me and one called "Hani123prohan" ) , so I can invite only 3 members remaining. I invited a user and I intercepted the request , i sent it to repeter and repeted it 3 times (for 3 users) and i repeated it multiple times and i added the attacker in the last request which is called "Kamelpro123pro" (which must be rejected as it will be above 5 users)
I sent them in parallel
For my surprise the attacker was added and there was above 5 users in the organization
The attacker was emailed by the invitation link
Hope you enjoyed ❤
Don't forget to see my content, you'll like it