User Information Leak via Duplicate Email Registration
A vulnerability in the latest version of the software allows attackers to leak sensitive user information by attempting to register with an existing email. The issue was identified in the user registration endpoint and has not yet been patched.
Available publicly on Dec 19 2024
Threat Overview
The vulnerability exists in the user registration endpoint where the server returns all information of an existing account if an attacker tries to register with an email that is already in use. This can lead to the exposure of sensitive information such as names, emails, and passwords (if stored improperly). The impact includes potential account compromise, privacy violations, and increased risk of phishing and targeted attacks.
Attack Scenario
An attacker logs in with a valid account and then attempts to register a new account using the email address of a target user. The server responds with the full details of the existing account, including sensitive information such as the user's name, email, and password.
Who is affected
All users of the software who have registered accounts are affected by this vulnerability. Attackers with valid login credentials can exploit this issue to access sensitive information of other users.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.