Email enumeration via Resend link page in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 12th 2022


Description

Through the Resend link page, an attacker can know that if an email exists or not; just by observing the notification in the response page. So, once the attacker knows that an email exists, he can launch a brute force attack against it.

If an email exists:

There is no notification and a confirmation link will be sent to <email_address>.

If an email does not exist:

The notification will be No user matching this email address found. with red color.

Proof of Concept

1.Go to the Resend link page (https://bookwyrm.social/resend-link)
2.Enter an existed email and click Resend link.
3.Check the mail box.
4.Enter a non-existed email (Ex: test@local.com) and click Resend link.
3.Observe the error notification.

Impact

Account enumeration is a potential security risk whereby a web site gives out information about what accounts are already in the system. This may: a) leave them susceptible to a brute-force attack b) may violate their users privacy which may be very important for certain types of sites.

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. 22 days ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back 21 days ago
Mouse Reeve validated this vulnerability 20 days ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve confirmed that a fix has been merged on aa5796 20 days ago
The fix bounty has been dropped
resend_modal.html#L7-L42 has been validated
register.py#L134-L152 has been validated
resend.html#L1-L10 has been validated
KhanhCM
7 days ago

Researcher


Hi maintainer,

Can you review other pending reports for me please?

Many thanks!

to join this conversation