Description
while auditing the karma system for privilege boundary gaps, i found GET /api/karma falls back to an untrusted query parameter for user identity when no session exists, making it a zero-auth information disclosure endpoint.
The Problem
karma/route.ts lines 28-38: when currentUser() returns null, the handler accepts email from the URL query string and returns the full karma profile — karmaScore, karmaLevel, currentStreak, all badges with dates, and 10 most recent karmaTransactions including doubtId and replyId references.
middleware.tsx doesnt list /api/karma as protected. an attacker can query GET /api/karma?email=target@university.edu without any session and get the full profile of any user.
Proposed Fix
- remove the query parameter fallback entirely — authenticated user should only see their own karma
- add if (!userContext) return 401 before accessing email
- if public karma view is needed later, create separate endpoint returning only level and badge names (not transactions or internal IDs)
- strip doubtId/replyId from response if ever made partially public
any visitor can enumerate user emails and scrape activity data — privacy violation for students on an academic platform.
I would like to work on this under GSSoC 26. please assign!
for labels i think gssoc:approved + level:intermediate + type:security fits here.
Description
while auditing the karma system for privilege boundary gaps, i found GET /api/karma falls back to an untrusted query parameter for user identity when no session exists, making it a zero-auth information disclosure endpoint.
The Problem
karma/route.ts lines 28-38: when currentUser() returns null, the handler accepts email from the URL query string and returns the full karma profile — karmaScore, karmaLevel, currentStreak, all badges with dates, and 10 most recent karmaTransactions including doubtId and replyId references.
middleware.tsx doesnt list /api/karma as protected. an attacker can query GET /api/karma?email=target@university.edu without any session and get the full profile of any user.
Proposed Fix
any visitor can enumerate user emails and scrape activity data — privacy violation for students on an academic platform.
I would like to work on this under GSSoC 26. please assign!
for labels i think gssoc:approved + level:intermediate + type:security fits here.