There are some extremely concerning security vulnerabilities in this project that even the weakest of hackers could exploit.
Is this product a ragebait/troll?
1) Account takeover of any user with just their email: POST /v1/account/recovery with any user's email, the API response gives you the plaintext recovery secret. Call PUT /v1/account/recovery with that secret + a new password. You now own their account. No email inbox access needed. Two curl commands.
2) Password hashes returned by the API: GET /v1/users with any API key returns every user's full argon2 hash, algorithm, and tuning parameters. tested and got $argon2id$v=19$m=65536,t=3,p=4$... for test@kraz.in.
3) CORS reflects any origin with credentials: Send Origin: https://evil.com to any endpoint — server responds with Access-Control-Allow-Origin: https://evil.com + Access-Control-Allow-Credentials: true. Any website on the internet can silently read authenticated API responses from logged-in users
There is literally like 50 more of these though. The author probably didn't spend more than 5 minutes on security hardening.
with|4 days ago
Is this product a ragebait/troll?
1) Account takeover of any user with just their email: POST /v1/account/recovery with any user's email, the API response gives you the plaintext recovery secret. Call PUT /v1/account/recovery with that secret + a new password. You now own their account. No email inbox access needed. Two curl commands.
2) Password hashes returned by the API: GET /v1/users with any API key returns every user's full argon2 hash, algorithm, and tuning parameters. tested and got $argon2id$v=19$m=65536,t=3,p=4$... for test@kraz.in.
3) CORS reflects any origin with credentials: Send Origin: https://evil.com to any endpoint — server responds with Access-Control-Allow-Origin: https://evil.com + Access-Control-Allow-Credentials: true. Any website on the internet can silently read authenticated API responses from logged-in users
There is literally like 50 more of these though. The author probably didn't spend more than 5 minutes on security hardening.
freakynit|4 days ago
Nice UI, but same security vulnerabilities as I've seen typically found in vibe-coded projects.