Email enumeration via sending a magic sign in link functionality in healthchecks/healthchecks
Jan 20th 2023
The sending a magic sign in link functionality is vulnerable to an email enumeration attack.
Proof of Concept
If you enter registered email, you will get
Login Link Sent! message.
If you enter non-registered email, you will get
Unknown email address. message.
Email enumeration allows an attacker to find valid usernames/emails on the victim application. It can use this information to do more advanced attacks like bruteforcing passwords or phishing attemps.