## Firebase Auth Vulnerability Exposes Reusable Email Verification Bypass via checkInviteAutoVerify Function A medium-severity authentication flaw in the `checkInviteAutoVerify` Cloud Function allows an invite document to grant `emailVerified: true` status on every future login attempt, including from different user accounts sharing the same email address. The vulnerability, documented in GitHub issue SEC-105, affects the Firebase Auth implementation at `functions/src/index.ts` line 1127 in the `fix/fw-43-email-verification` branch (PR #585). The function successfully identifies pending `autoVerify` invites and marks the corresponding Firebase Auth account as verified, but critically fails to delete or update the invite document afterward. The invite remains in `status: 'pending'` until explicitly consumed through the `verifyInvitedUser` invite-link flow. This design flaw transforms a single-use verification token into a persistent, reusable credential. The attack vector is straightforward: an administrator sends an invite to a target email with `autoVerify: true`, setting invite status to `pending`. When the legitimate user first logs in with an unverified email, the function finds the invite and grants verification status. However, because the invite document persists, any subsequent registration using the same email address—including after account deletion and re-registration—triggers the same verification bypass. A malicious actor could exploit this by registering after the legitimate invitee, effectively gaining `emailVerified: true` status without completing actual email verification. The flaw exposes systems relying on `emailVerified` as a trust indicator to authentication abuse, particularly in workflows where email verification gates access to sensitive features or data. Organizations using Firebase Auth with similar invite-based verification patterns should audit whether their implementations consume or invalidate invite documents after use. The persistent nature of the invite document creates an asymmetry between the verification status granted and the lifecycle of the underlying invite token. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: firebase-auth, email-verification, authentication-bypass, cloud-function, security-vulnerability - **Credibility**: unverified - **Published**: 2026-04-24 02:54:09 - **ID**: 76628 - **URL**: https://whisperx.ai/en/intel/76628