
Ask HN: Endpoint Security Question - takklz
Random question that perhaps someone could shed some light on.<p>My buddy and I are having an argument regarding one of our pages.  The page is for unsubscribing from emails.  Simple enough, the endpoint looks like this:<p>Blah blah.com&#x2F;emailpref?email=test@test.com<p>This takes them to a page saying. “Thanks, John for visiting your email preferences page”.<p>From there they manage their email preferences.<p>I told him that this is a super insecure design, and theoretically someone could brute force usernames and emails from this.<p>Am I overreacting? What am I missing here?
======
ssklash
Pentester here. Absolutely something I would look at and abuse. You're
disclosing information, allowing the harvesting of valid email addresses, and
allowing access to an account. even if only in a limited capacity for email
management, based on only the email. There's no reason to do it this way.

See here: [https://portswigger.net/web-security/access-
control/idor](https://portswigger.net/web-security/access-control/idor)

~~~
takklz
Thank you so much for the reply!!

