identify registered user in heroiclabs/nakama
Apr 2nd 2022
There is a response during password reset which allow to identify if email address is registered or not
Proof of Concept
1. Signup to https://cloud.heroiclabs.com/ using a email like
2. Now goto https://cloud.heroiclabs.com/recover and put a dummy email address
email@example.com and send a password reset .
Here you get response
Email not registered. .
Now again send a password reset with a registered email address
firstname.lastname@example.org and you get bellow response
An email has been sent. Please check your email for a reset link.
So, there is two different response for registered email and non-registered email . Using this behaviour attacker can find out registered email address .
If email is registered then response is
An email has been sent. Please check your email for a reset link. and if email is not registered then response is
Email not registered.
Attacker can find out registered email address using this attack
This issue is the same as this issue: https://huntr.dev/bounties/1afdf850-e24b-4b60-a608-397df2122c1c/
The issue is fixed.
@Jamie I made a mistake with the token in the URL - please remove the token and blacklist it. Apologies.