Bug: Exposed Endpoint Reveals Existence of User Emails

sohamnandi77 commented 5 days ago

The endpoint /auth/account-exists seems to reveal whether a particular email exists in the system or not by returning different responses based on the existence of the provided email. This can potentially allow attackers to check if an email is registered, leading to privacy concerns or facilitating targeted phishing attacks.

Endpoint: https://api.dub.co/auth/account-exists

Steps to Reproduce:

Send a request to the endpoint with any email address.
Observe the response – the endpoint returns whether the email is registered or not.

Concerns:

This might allow attackers to easily verify whether a certain email is associated with an account on the platform.
Could this be considered a security issue? Was this behavior thought through ?
Exposing this information could lead to user enumeration attacks and other privacy or security risks.

linear[bot] commented 5 days ago

ENG-546 Security Vulnerability: Exposed Endpoint Reveals Existence of User Emails

steven-tey commented 4 days ago

Thanks for the heads up! We're working on a way to make this more secure 👍

dubinc / dub

Bug: Exposed Endpoint Reveals Existence of User Emails #1263