identify registered user in heroiclabs/nakama
Apr 2nd 2022
There is a response during password reset which allow to identify if email address is registered or not
Proof of Concept
1. Signup to https://cloud.heroiclabs.com/ using a email like
2. Now goto https://cloud.heroiclabs.com/recover and put a dummy email address
email@example.com and send a password reset .
Here you get response
Email not registered. .
Now again send a password reset with a registered email address
firstname.lastname@example.org and you get bellow response
An email has been sent. Please check your email for a reset link.
So, there is two different response for registered email and non-registered email . Using this behaviour attacker can find out registered email address .
If email is registered then response is
An email has been sent. Please check your email for a reset link. and if email is not registered then response is
Email not registered.
Attacker can find out registered email address using this attack