Bug bounty hunting often feels like a race against the system — sometimes literally. That's exactly what happened when I, Ahmed Sherif (@vultra), discovered a race condition that allowed me to bypass role‑based restrictions and delete the owner of an organization, leaving it without any administrative roles at all.

🔍 The Discovery

The application enforces rules: owners can't be deleted, and organizations must always have one owner. But I noticed something odd — what if two requests hit the backend at the same time?

None
The remove button is disabled

So I intercepted traffic with Burp Suite and prepared two requests:

  • Request A: Transfer ownership to member X.
  • Request B: Delete member X.

I sent them simultaneously using Burp. The backend processed them in parallel, and the result was shocking: member X was deleted after being assigned ownership.

The organization was left without an owner. And if no admins remained, it was left without any administrative roles at all.

None
Organization without an owner

⚠️ Why This Matters

Without an owner or admin, no one can manage, invite, or administer the team. The organization becomes orphaned, unmanageable, and requires manual intervention to recover.

It's like handing someone the captain's hat and then immediately throwing them overboard — the ship is left adrift with no one at the helm.

🎯 Takeaway

This bug shows how race conditions can break even well‑designed business rules. The frontend and backend may enforce restrictions individually, but when requests collide in parallel, logic collapses. It's a reminder that concurrency needs careful handling — otherwise, attackers can exploit timing to sabotage entire organizations.