You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Click recover button (If an account not exists in the appwrite database, It notified that the user is not found with this email address)
👍 Expected behavior
𝑫𝒆𝒔𝒄𝒓𝒊𝒑𝒕𝒊𝒐𝒏: The Email recovery API allows anyone to check whether a user have an account in the Appwrite website.
𝗧𝗵𝗲𝘀𝗲 𝗯𝘂𝗴𝘀 𝗳𝗮𝗹𝗹 𝗶𝗻 𝘁𝗵𝗲 𝗳𝗼𝗹𝗹𝗼𝘄𝗶𝗻𝗴 𝗰𝗮𝘁𝗲𝗴𝗼𝗿𝗶𝗲𝘀,
Privacy violation - Users typically expect their account information to be kept private.
Security risk - Attackers can use this functionality to gather information about valid user accounts
Resource drain - Frequent requests to check for user existence can leads to consumption of the resources
Solution/Expected Behavior: Implement rate limiting to restrict the usage frequency or Implement a generic message "If an account exists in our database, you will receive an account recovery link to your email address"
𝑷𝒓𝒊𝒐𝒓𝒊𝒕𝒚: High
𝑺𝒆𝒗𝒆𝒓𝒊𝒕𝒚: Medium
👎 Actual Behavior
It actually exposes the information about an account exists with the given email address.
🎲 Appwrite version
Appwrite Cloud
💻 Operating system
Windows
🧱 Your Environment
No response
👀 Have you spent some time to check if this issue has been raised before?
👟 Reproduction steps
👍 Expected behavior
𝑫𝒆𝒔𝒄𝒓𝒊𝒑𝒕𝒊𝒐𝒏: The Email recovery API allows anyone to check whether a user have an account in the Appwrite website.
𝗧𝗵𝗲𝘀𝗲 𝗯𝘂𝗴𝘀 𝗳𝗮𝗹𝗹 𝗶𝗻 𝘁𝗵𝗲 𝗳𝗼𝗹𝗹𝗼𝘄𝗶𝗻𝗴 𝗰𝗮𝘁𝗲𝗴𝗼𝗿𝗶𝗲𝘀,
Solution/Expected Behavior: Implement rate limiting to restrict the usage frequency or Implement a generic message "If an account exists in our database, you will receive an account recovery link to your email address"
𝑷𝒓𝒊𝒐𝒓𝒊𝒕𝒚: High
𝑺𝒆𝒗𝒆𝒓𝒊𝒕𝒚: Medium
👎 Actual Behavior
It actually exposes the information about an account exists with the given email address.
🎲 Appwrite version
Appwrite Cloud
💻 Operating system
Windows
🧱 Your Environment
No response
👀 Have you spent some time to check if this issue has been raised before?
🏢 Have you read the Code of Conduct?
The text was updated successfully, but these errors were encountered: