Linking existing PNID - Server doesn't check email validity #28
Comments
|
Bumping this for security reasons. |
I believe we already discussed this but isn't this only a "security" issue if the attacker already has the users username/password? If an attacker already has a users login it's game over, they can already get the users email address just by logging in? |
|
Potentially, though it may let them bypass usual checks (like CAPTCHA/etc) to retrieve email, assuming we had a CAPTCHA on logins on the website in future. |
|
What is the error sent when the email does not match |
|
Has this been resolved, or may I work on seeing if I can fix it if I find the error in source code, not matching it correctly? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When trying to link a PNID to a console, the server should check PNID, password, AND email - the following HTTP headers are sent:
NB:
X-Nintendo-Local-Pin-Flag: Yis set if Parental Controls IS enabled.The text was updated successfully, but these errors were encountered: