identify registered user in heroiclabs/nakama

Valid

Reported on

Apr 2nd 2022


Description

There is a response during password reset which allow to identify if email address is registered or not

Proof of Concept

1. Signup to https://cloud.heroiclabs.com/ using a email like xyz@gmail.com .
2. Now goto https://cloud.heroiclabs.com/recover and put a dummy email address abc@gmail.com and send a password reset . Here you get response Email not registered. . Now again send a password reset with a registered email address xyz@gmail.com and you get bellow response

An email has been sent. Please check your email for a reset link.

So, there is two different response for registered email and non-registered email . Using this behaviour attacker can find out registered email address .
\

If email is registered then response is An email has been sent. Please check your email for a reset link. and if email is not registered then response is Email not registered.

Impact

Attacker can find out registered email address using this attack

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. 3 months ago
We have contacted a member of the heroiclabs/nakama team and are waiting to hear back 3 months ago
heroiclabs/nakama maintainer modified the report
3 months ago
heroiclabs/nakama maintainer validated this vulnerability 3 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the heroiclabs/nakama team. We will try again in 7 days. 3 months ago
We have sent a second fix follow up to the heroiclabs/nakama team. We will try again in 10 days. 2 months ago
We have sent a third and final fix follow up to the heroiclabs/nakama team. This report is now considered stale. 2 months ago
heroiclabs/nakama maintainer
a month ago

Maintainer


This issue is the same as this issue: https://huntr.dev/bounties/1afdf850-e24b-4b60-a608-397df2122c1c/

The issue is fixed.

heroiclabs/nakama maintainer confirmed that a fix has been merged on afe8bd a month ago
The fix bounty has been dropped
Mo Firouz
a month ago

Maintainer


@Jamie I made a mistake with the token in the URL - please remove the token and blacklist it. Apologies.

to join this conversation