So today I wrote to SmugMug to let them know of a security vulnerability that allows you to enumerate user email addresses.
On the "Login" page, if I enter an invalid email address your site tells me to check my email address meaning I can target individual users by targeting their email address and making it a lot easier to gain access to their account.
This is their response (or the lack of a response)
Hi Liam, Thanks for taking the time and writing us with your report. We appreciate it. I will make sure it gets seen. Best Regards, Tristan Support Hero
Very disheartening response there from SmugMug. The reason I've released this publicly on the same day as the lack of response is frankly, disgusting, it suggests that SmugMug don't have a proper security disclosure programme or process for handling such a disclosure. Please SmugMug, start taking security seriously
Thing is, this is not a technical issue like XSS or SQLi, its an application logic issue. You can see why they have implemented it this way, to provide a "better" user experience or user journey, but they have neglected to think about what the risk of implementing this is.