Random question that perhaps someone could shed some light on.<p>My buddy and I are having an argument regarding one of our pages. The page is for unsubscribing from emails. Simple enough, the endpoint looks like this:<p>Blah blah.com/emailpref?email=test@test.com<p>This takes them to a page saying. “Thanks, John for visiting your email preferences page”.<p>From there they manage their email preferences.<p>I told him that this is a super insecure design, and theoretically someone could brute force usernames and emails from this.<p>Am I overreacting? What am I missing here?
Pentester here. Absolutely something I would look at and abuse. You're disclosing information, allowing the harvesting of valid email addresses, and allowing access to an account. even if only in a limited capacity for email management, based on only the email. There's no reason to do it this way.<p>See here: <a href="https://portswigger.net/web-security/access-control/idor" rel="nofollow">https://portswigger.net/web-security/access-control/idor</a>