Open Closed

Security Question #9430

eric_pulaski created

I've noticed that there is a FindByNameOrEmailAsync() method that takes a tenant ID and userEmaiOrUserName paramater. This is apparently used by the chat service? [I think some "friendship" class or method, if I remember correctly.]

Allowing somone (i.e., a potential hacker) to validate the tenant id and user's email, where they then only need to guess the password, is typically not a good security practice. Is this a potential security vulnerability? Has anyone brought this up before and/or have ASP.NET Zero customers passed security reviews with this API being available?

Thanks in advance for a reply.


1 Answer(s)
  • 0
    ismcagdas created
    Support Team

    Hi @eric_pulaski

    This app service can only be consumed by authorized users. You can also disable "chat with host" and "chat with other tenants" features so a tenant can't add another tenant's or host's users as a friend.