auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

signInWithOtp has a user enumeration vulnerability

Open jeremyisatrecharm opened this issue 1 year ago • 2 comments

Bug report

Note: I tried to go through vulnerability reporting but I found that to be so complex that I gave up.

Describe the bug

If you set shouldCreateUser: false, and then pass in an email address of someone who is not a user, you will get an error; whereas an actual user will not. So using this leaks info about users.

Isn't it even possible to run this via say the chrome console? If so, doing something like wrapping this call in an API endpoint does not accomplish much...

jeremyisatrecharm avatar Nov 30 '24 15:11 jeremyisatrecharm

This should likely be transferred to the supabase/auth repo, as it handles the logic of returning an error.

j4w8n avatar Dec 04 '24 20:12 j4w8n

Hi, I've moved this issue over from the supabase repo as its more auth related.

Hallidayo avatar Mar 05 '25 20:03 Hallidayo

any update on this?

nikhil-mat avatar Sep 29 '25 09:09 nikhil-mat