The endpoint /auth/account-exists seems to reveal whether a particular email exists in the system or not by returning different responses based on the existence of the provided email. This can potentially allow attackers to check if an email is registered, leading to privacy concerns or facilitating targeted phishing attacks.
Endpoint:
https://api.dub.co/auth/account-exists
Steps to Reproduce:
Send a request to the endpoint with any email address.
Observe the response – the endpoint returns whether the email is registered or not.
Concerns:
This might allow attackers to easily verify whether a certain email is associated with an account on the platform.
Could this be considered a security issue? Was this behavior thought through ?
Exposing this information could lead to user enumeration attacks and other privacy or security risks.
The endpoint
/auth/account-exists
seems to reveal whether a particular email exists in the system or not by returning different responses based on the existence of the provided email. This can potentially allow attackers to check if an email is registered, leading to privacy concerns or facilitating targeted phishing attacks.Endpoint:
https://api.dub.co/auth/account-exists
Steps to Reproduce:
Concerns: