Observable Response Discrepancy in heroiclabs/nakama
Jan 21st 2022
It is possible to enumerate usernames via the Log-In function.
Proof of Concept
The login response provides information, whether the username is registered or not in the application. If the user is registered, and wrong password provided, the following information being displayed:
If the user is not registered, the message contains the following:
Invalid Nakama Console credentials.
It is possible to enumerate usernames of registered users in the application. An attacker can then chain this information with other attacks.