identify registered user in heroiclabs/nakama

Valid

Reported on

Apr 2nd 2022

Description

There is a response during password reset which allow to identify if email address is registered or not

Proof of Concept

1. Signup to https://cloud.heroiclabs.com/ using a email like xyz@gmail.com .
2. Now goto https://cloud.heroiclabs.com/recover and put a dummy email address abc@gmail.com and send a password reset . Here you get response Email not registered. . Now again send a password reset with a registered email address xyz@gmail.com and you get bellow response

An email has been sent. Please check your email for a reset link.

So, there is two different response for registered email and non-registered email . Using this behaviour attacker can find out registered email address .
\

If email is registered then response is An email has been sent. Please check your email for a reset link. and if email is not registered then response is Email not registered.

Impact

Attacker can find out registered email address using this attack

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. 2 years ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago

We have contacted a member of the heroiclabs/nakama team and are waiting to hear back 2 years ago

A heroiclabs/nakama maintainer modified the report

2 years ago

A heroiclabs/nakama maintainer validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

We have sent a fix follow up to the heroiclabs/nakama team. We will try again in 7 days. 2 years ago

We have sent a second fix follow up to the heroiclabs/nakama team. We will try again in 10 days. 2 years ago

We have sent a third and final fix follow up to the heroiclabs/nakama team. This report is now considered stale. 2 years ago

A heroiclabs/nakama maintainer

commented 2 years ago

Maintainer

This issue is the same as this issue: https://huntr.dev/bounties/1afdf850-e24b-4b60-a608-397df2122c1c/

The issue is fixed.

A heroiclabs/nakama maintainer marked this as fixed in 3.11.0 with commit afe8bd 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Mo Firouz

commented 2 years ago

Maintainer

@Jamie I made a mistake with the token in the URL - please remove the token and blacklist it. Apologies.

to join this conversation

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. 2 years ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago

We have contacted a member of the heroiclabs/nakama team and are waiting to hear back 2 years ago

A heroiclabs/nakama maintainer modified the report

2 years ago

A heroiclabs/nakama maintainer validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

We have sent a fix follow up to the heroiclabs/nakama team. We will try again in 7 days. 2 years ago

We have sent a second fix follow up to the heroiclabs/nakama team. We will try again in 10 days. 2 years ago

We have sent a third and final fix follow up to the heroiclabs/nakama team. This report is now considered stale. 2 years ago

A heroiclabs/nakama maintainer

commented 2 years ago

Maintainer

This issue is the same as this issue: https://huntr.dev/bounties/1afdf850-e24b-4b60-a608-397df2122c1c/

The issue is fixed.

A heroiclabs/nakama maintainer marked this as fixed in 3.11.0 with commit afe8bd 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Mo Firouz

commented 2 years ago

Maintainer

@Jamie I made a mistake with the token in the URL - please remove the token and blacklist it. Apologies.

to join this conversation