Enumeration of registered email addresses via user profile API #38

sveeke · 2018-06-18T19:51:17Z

BadgeUserProfile uses BadgeUserProfileSerializer which responds to registration attempts with this error message:

Account could not be created. An account with this email address may already exist.

This API endpoint can be accessed by sending a POST request to v1/user/profile. It expects these fields as parameters:

first_name = serializers.CharField(max_length=30, allow_blank=True)                
last_name = serializers.CharField(max_length=30, allow_blank=True)                 
email = serializers.EmailField()                                                   
password = serializers.CharField(style={'input_type': 'password'}, write_only=True)

The text was updated successfully, but these errors were encountered:

ottonomy · 2018-06-28T21:17:31Z

This is a valid issue. There may be some potential for data leak. The account cannot be created, so some error message must be returned. It is possible to be even less specific in the error message trading off protection against this potential data leak for a more confusing user experience.

sveeke · 2019-01-17T14:35:33Z

@ottonomy has something been changed in Badgr because of this issue?

sveeke added risk-moderate Security issues with a moderate impact bug-infoleak labels Jun 18, 2018

sveeke added this to the Pilot 2018 milestone Jun 18, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enumeration of registered email addresses via user profile API #38

Enumeration of registered email addresses via user profile API #38

sveeke commented Jun 18, 2018

ottonomy commented Jun 28, 2018

sveeke commented Jan 17, 2019

Enumeration of registered email addresses via user profile API #38

Enumeration of registered email addresses via user profile API #38

Comments

sveeke commented Jun 18, 2018

ottonomy commented Jun 28, 2018

sveeke commented Jan 17, 2019