Linking existing PNID - Server doesn't check email validity

PretendoNetwork / account

Pretendo account server

GNU Affero General Public License v3.0

54 stars 25 forks source link

Linking existing PNID - Server doesn't check email validity #28

Open InternalLoss opened 2 years ago

InternalLoss commented 2 years ago

When trying to link a PNID to a console, the server should check PNID, password, AND email - the following HTTP headers are sent:

X-Nintendo-EMAIL: email@email.com
X-Nintendo-Local-Pin-Flag: N

NB: X-Nintendo-Local-Pin-Flag: Y is set if Parental Controls IS enabled.

InternalLoss commented 1 year ago

Bumping this for security reasons.

jonbarrow commented 1 year ago

Bumping this for security reasons.

I believe we already discussed this but isn't this only a "security" issue if the attacker already has the users username/password? If an attacker already has a users login it's game over, they can already get the users email address just by logging in?

InternalLoss commented 1 year ago

Potentially, though it may let them bypass usual checks (like CAPTCHA/etc) to retrieve email, assuming we had a CAPTCHA on logins on the website in future.

jonbarrow commented 12 months ago

What is the error sent when the email does not match

luni-moon commented 3 months ago

Has this been resolved, or may I work on seeing if I can fix it if I find the error in source code, not matching it correctly?