🔍 Authentication Warning: Username Enumeration Flaw on https://getbarkeep.org
0 views
Skip to first unread message
Client Departs
Nov 1, 2025, 7:38:51 PMNov 1
to getba...@googlegroups.com
Severity: High
Bug Name: Username Enumeration
Website: https://getbarkeep.org
PoC URL: https://getbarkeep.org/wp-json/wp/v2/users/
Description:
Your application reveals different responses when valid or invalid usernames/emails are submitted during login or password recovery, allowing attackers to enumerate valid users.
Impact:
- Facilitates account discovery by malicious actors.
- Increases risk of targeted attacks and spam.
- Reduces overall security posture of authentication systems.
Suggested Fix:
- Return generic error messages.
- Add delay or lockout mechanisms after repeated failures.
- Apply bot protection tools like reCAPTCHA.
White Hat Note:
Our goal is to make the internet safer through responsible testing and reporting. We are glad to help secure your site and hope it brings peace of mind. We would appreciate hearing about reward or acknowledgment you may offer.
Bug Name: Username Enumeration
Website: https://getbarkeep.org
PoC URL: https://getbarkeep.org/wp-json/wp/v2/users/
Description:
Your application reveals different responses when valid or invalid usernames/emails are submitted during login or password recovery, allowing attackers to enumerate valid users.
Impact:
- Facilitates account discovery by malicious actors.
- Increases risk of targeted attacks and spam.
- Reduces overall security posture of authentication systems.
Suggested Fix:
- Return generic error messages.
- Add delay or lockout mechanisms after repeated failures.
- Apply bot protection tools like reCAPTCHA.
White Hat Note:
Our goal is to make the internet safer through responsible testing and reporting. We are glad to help secure your site and hope it brings peace of mind. We would appreciate hearing about reward or acknowledgment you may offer.
Client Departs
Nov 4, 2025, 12:06:37 AMNov 4
to getba...@googlegroups.com
Dear Team,
I hope you're doing well. I wanted to follow up on the vulnerability I reported. I understand that security assessments and fixes take time, and I truly appreciate your team's efforts in addressing these issues.
Please confirm your interest if you are willing to fix the issue to avoid further follow-ups. If you have already fixed the issue, please let us know, and we will proceed with retesting.
As a security researcher, I responsibly reported this vulnerability to help secure your platform. In recognition of my efforts, I expect a reward, which can be sent via PayPal or bank transfer. I would appreciate an update on this discussion as well.
Looking forward to your response.
Best regards
I hope you're doing well. I wanted to follow up on the vulnerability I reported. I understand that security assessments and fixes take time, and I truly appreciate your team's efforts in addressing these issues.
Please confirm your interest if you are willing to fix the issue to avoid further follow-ups. If you have already fixed the issue, please let us know, and we will proceed with retesting.
As a security researcher, I responsibly reported this vulnerability to help secure your platform. In recognition of my efforts, I expect a reward, which can be sent via PayPal or bank transfer. I would appreciate an update on this discussion as well.
Looking forward to your response.
Best regards
Client Departs
Nov 6, 2025, 12:20:14 AMNov 6
to getba...@googlegroups.com
Hello Team,
I’m following up once more regarding the vulnerability report. We’re happy to know you’ve received it and that it’s contributing to your security improvements.
As mentioned earlier, we would also appreciate a reward for the vuln, granted purely at your discretion. This doesn’t require a bug bounty program — it’s simply a way to acknowledge the effort put into reporting it ethically.
Thank you for your time and acknowledgment.
Best regards
I’m following up once more regarding the vulnerability report. We’re happy to know you’ve received it and that it’s contributing to your security improvements.
As mentioned earlier, we would also appreciate a reward for the vuln, granted purely at your discretion. This doesn’t require a bug bounty program — it’s simply a way to acknowledge the effort put into reporting it ethically.
Thank you for your time and acknowledgment.
Best regards
Client Departs
Nov 10, 2025, 12:09:22 AMNov 10
to getba...@googlegroups.com
Hello Team,
I hope everything is going well on your end. I wanted to politely follow up regarding the vulnerability we reported earlier.
While our main goal is to help improve your security posture, we would also welcome a reward for the vuln, should you decide to grant one. We fully understand this is not an obligation and depends entirely on your room and discretion.
Your acknowledgment and appreciation mean a lot to us.
Best regards
I hope everything is going well on your end. I wanted to politely follow up regarding the vulnerability we reported earlier.
While our main goal is to help improve your security posture, we would also welcome a reward for the vuln, should you decide to grant one. We fully understand this is not an obligation and depends entirely on your room and discretion.
Your acknowledgment and appreciation mean a lot to us.
Best regards
Client Departs
Nov 12, 2025, 12:04:42 AMNov 12
to getba...@googlegroups.com
Hello Team,
I hope this message finds you well. This is a gentle follow-up regarding the vulnerability report we submitted. Our intention has always been to responsibly disclose the issue and ensure the security of your platform.
As mentioned before, a reward is not something we expect by default, nor does it require a formal bug bounty program. It’s simply a gesture of appreciation that’s entirely at your discretion and room.
We’ll always value your acknowledgment of the report, and if you decide to provide a reward for reporting the bug ethically, we would greatly appreciate it.
Thank you for your time, and we remain open to assist further whenever you need.
Best regards
I hope this message finds you well. This is a gentle follow-up regarding the vulnerability report we submitted. Our intention has always been to responsibly disclose the issue and ensure the security of your platform.
As mentioned before, a reward is not something we expect by default, nor does it require a formal bug bounty program. It’s simply a gesture of appreciation that’s entirely at your discretion and room.
We’ll always value your acknowledgment of the report, and if you decide to provide a reward for reporting the bug ethically, we would greatly appreciate it.
Thank you for your time, and we remain open to assist further whenever you need.
Best regards
Client Departs
Nov 26, 2025, 11:04:13 AM (3 days ago) Nov 26
to getba...@googlegroups.com
Hello Team,
This will be my follow-up regarding the vulnerability report we submitted. We’re happy to have contributed to your security and will always be open to supporting your future security needs.
We would also be grateful if you considered a reward for the vuln, as a gesture of appreciation for the ethical reporting. Again, we recognize this is not required and it depends completely on your discretion.
Thank you for your acknowledgment and for taking the time to review our report.
Best regards
This will be my follow-up regarding the vulnerability report we submitted. We’re happy to have contributed to your security and will always be open to supporting your future security needs.
We would also be grateful if you considered a reward for the vuln, as a gesture of appreciation for the ethical reporting. Again, we recognize this is not required and it depends completely on your discretion.
Thank you for your acknowledgment and for taking the time to review our report.
Best regards
Reply all
Reply to author
Forward
0 new messages