Open InternalLoss opened 2 years ago
Bumping this for security reasons.
Bumping this for security reasons.
I believe we already discussed this but isn't this only a "security" issue if the attacker already has the users username/password? If an attacker already has a users login it's game over, they can already get the users email address just by logging in?
Potentially, though it may let them bypass usual checks (like CAPTCHA/etc) to retrieve email, assuming we had a CAPTCHA on logins on the website in future.
What is the error sent when the email does not match
Has this been resolved, or may I work on seeing if I can fix it if I find the error in source code, not matching it correctly?
When trying to link a PNID to a console, the server should check PNID, password, AND email - the following HTTP headers are sent:
NB:
X-Nintendo-Local-Pin-Flag: Y
is set if Parental Controls IS enabled.