Ask HN: Endpoint Security Question

2 points by takklz ↗ HN
Random question that perhaps someone could shed some light on.

My buddy and I are having an argument regarding one of our pages. The page is for unsubscribing from emails. Simple enough, the endpoint looks like this:

Blah blah.com/emailpref?email=test@test.com

This takes them to a page saying. “Thanks, John for visiting your email preferences page”.

From there they manage their email preferences.

I told him that this is a super insecure design, and theoretically someone could brute force usernames and emails from this.

Am I overreacting? What am I missing here?

2 comments

[ 2.4 ms ] story [ 14.9 ms ] thread
Pentester here. Absolutely something I would look at and abuse. You're disclosing information, allowing the harvesting of valid email addresses, and allowing access to an account. even if only in a limited capacity for email management, based on only the email. There's no reason to do it this way.

See here: https://portswigger.net/web-security/access-control/idor

Thank you so much for the reply!!