InnoGames: Unprivileged alliance member is able to recruit new members to his alliance and accepting them (xs1.grepolis.com)

2019-03-17T14:08:33
ID H1:511275
Type hackerone
Reporter batee5a
Modified 2020-06-02T07:15:51

Description

Alliances are a very integral part of Grepolis. Attacks are planned and strategies are forged. All of this in secret from the other players. A broken access control allowed any member of the alliance to invite "external" players, even though the alliance invitations were closed/invite-only. This does not only have a security-, but also a game impact, as it would be easy to invite spy accounts into alliances before leaving them, giving the player juicy intel on enemy parties. A Broken Access Control issue that allowed any unprivileged member of the tribe (guild) to invite other members to join the tribe by generating an invitation link that would work even if the tribe's invitation status was set to Closed or Invitations Only.