Insufficient Session Expiration in heroiclabs/nakama
Aug 23rd 2022
The Nakama Console session is not invalidated when the user is deleted.
Proof of Concept
Steps to reproduce:
1. Log in to the Nakama Console as admin and create a user email@example.com 2. In a separate browser or private window log in to the account firstname.lastname@example.org 3. In the admin session, delete the user email@example.com 4. Observe that the firstname.lastname@example.org session is not invalidated and the user can still perform all actions according to their role (for instance if the user has the administrator role they can still create/delete users)
An old session can be used by an attacker even after the user has been deleted in a different session. The session can be used until it expires or the attacker logs out.