One Click to Collapse: Chaining Logic Flaw + CSRF to Take Down a SaaS Organization

بسم الله الرحمن الرحيم
والصلاة والسلام على أشرف المرسلين سيدنا محمد عليه أفضل الصلاة وأجل التسليم

Hey friends, I’m CANITEY, and today I’m thrilled to walk you through one of the most impactful attack chains I’ve discovered — one that let me completely take down an entire SaaS organization and lock out every single member, including the owner. All by chaining two bugs that, on their own, seemed harmless… but together? Game over.

Let’s break it down.

🎯 The Target

The target is a SaaS platform that helps users test their websites. It uses a team-based structure where each user belongs to exactly one organization. You can either create a new org or be invited to one — but you can’t be in multiple at once. When you join another org, you leave the previous one automatically.

Seems reasonable, right? Well…

🧠 First Weakness: A Logic Flaw That Destroys the Organization

Here’s where things get interesting.

In this system, users don’t have standalone accounts. Instead, their accounts are tied directly to the organization. If the org disappears or becomes broken, so do the accounts of all its members.

The app was smart enough to prevent the owner from abandoning their organization… or so they thought.

There are two ways to invite users to an org:

1. Email Invite — Secure. If the owner receives this and tries to accept, the system blocks them. ✅
2. Generic Invite Link — Boom. Here’s where the real fun starts. 💣

Using the generic invite link, even the owner could join another team. When that happens, they automatically leave their current organization — leaving it ownerless, completely broken, and locking out every other member from their accounts. No one can log in anymore. Not even admins.

But here’s the twist: switching teams requires one last step, normally users are required to click some “acceptance” button as shown in the image below, but …

🧨 Second Weakness: CSRF That Forces Team Switches Silently

When I clicked the “Switch Team” button, I noticed something odd. It made a simple GET request to a URL like this:

https://accounts.example.com/accept-invitation?gid=9485696&token=28eed7122146f2a8179a393df6129b1a

The token in this URL? It was the same one used in the generic invite link.

So I thought, what if I just force the admin to visit this URL? No interaction. No confirmation.

And guess what?

It worked.

Just by tricking an admin into visiting a crafted link (via CSRF), I could silently force them to switch to a new organization. Their original org? Gone. Broken. Every member? Locked out. Full takedown. No alerts. No popups. Just silence.

And here is the POC code:

<form method="get" action="https://accounts.example.com/accept-invitation">
    <input type=hidden name=token value="ccbadac721a11fe7b2a51d039b8eef00">
    <input type=hidden name=gid value="9489444">
    <button></button>
</form>
<script>
    document.forms[0].submit()
</script>

And just by tricking the admin to visit this POC, which can be embedded publicly to any website, the whole organization would be taken down via one-click

💥 Final Impact

By chaining these two bugs:

• A logic flaw that let owners abandon their organizations via invite links.
• A CSRF vulnerability that silently forced users to accept those invites…

…I achieved maximum impact. A single click from an admin was all it took to destroy the organization and disable every account tied to it.

Stay sharp out there. Sometimes the smallest cracks lead to the biggest breaches.

End

Thanks for reading, feel free to give me an advice in comment section or contact me directly, via:

• Twitter
• Facebook