-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Linking existing PNID - Server doesn't check email validity #28
Comments
Bumping this for security reasons. |
I believe we already discussed this but isn't this only a "security" issue if the attacker already has the users username/password? If an attacker already has a users login it's game over, they can already get the users email address just by logging in? |
Potentially, though it may let them bypass usual checks (like CAPTCHA/etc) to retrieve email, assuming we had a CAPTCHA on logins on the website in future. |
What is the error sent when the email does not match |
Has this been resolved, or may I work on seeing if I can fix it if I find the error in source code, not matching it correctly? |
When trying to link a PNID to a console, the server should check PNID, password, AND email - the following HTTP headers are sent:
NB:
X-Nintendo-Local-Pin-Flag: Y
is set if Parental Controls IS enabled.The text was updated successfully, but these errors were encountered: