We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Email enumeration via Resend link page in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 12th 2022

Description

Through the Resend link page, an attacker can know that if an email exists or not; just by observing the notification in the response page. So, once the attacker knows that an email exists, he can launch a brute force attack against it.

If an email exists:

There is no notification and a confirmation link will be sent to <email_address>.

If an email does not exist:

The notification will be No user matching this email address found. with red color.

Proof of Concept

1.Go to the Resend link page (https://bookwyrm.social/resend-link)
2.Enter an existed email and click Resend link.
3.Check the mail box.
4.Enter a non-existed email (Ex: test@local.com) and click Resend link.
3.Observe the error notification.

Impact

Account enumeration is a potential security risk whereby a web site gives out information about what accounts are already in the system. This may: a) leave them susceptible to a brute-force attack b) may violate their users privacy which may be very important for certain types of sites.

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. a year ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back a year ago
Mouse Reeve validated this vulnerability a year ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve marked this as fixed in 0.4.4 with commit aa5796 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
resend_modal.html#L7-L42 has been validated
register.py#L134-L152 has been validated
resend.html#L1-L10 has been validated
KhanhCM
a year ago

Researcher

Hi maintainer,

Can you review other pending reports for me please?

Many thanks!

to join this conversation