Skip to content

[Bug] [SECURITY] Login endpoint leaks user existence (User Enumeration) #92

Description

@Pratyush-Panda-2006

Description
The login controller in
userAuth.js
returns distinct error messages depending on whether an email exists in the database. Specifically:

If the email does not exist: throws "User not found".
If the email exists but the password is incorrect: throws "Invalid Credentials".
This allows attackers to easily enumerate registered email addresses on the platform by observing the error responses.

Impact
Privacy Leakage: Attackers can determine which email addresses have accounts on the platform.
Brute Force Targeting: Enables attackers to build lists of valid user emails for targeted credential stuffing or phishing attacks.
Location in Code
userAuth.js
:
javascript

const user = await User.findOne({ email });
if (!user) throw new Error("User not found");
const match = await bcrypt.compare(password, user.password);
if (!match) {
throw new Error("Invalid Credentials");
}

Metadata

Metadata

Labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions