Critical Security Vulnerability in Bundlrs Accounts (RESOLVED)
e6d6888c60 addresses a known security vulnerability in the handling of account IDs in Bundlrs. When the server updates, all users will be signed out of their accounts! Just log back in with your ID and you'll be fine. This logout is necessary in order to fix this bug!
The vulnerability was caused by /api/auth/register
sending back the hashed user ID as the cookie value and all other endpoints pulling the user using get_user_by_hashed to pull the user from this hashed ID. This means that anybody could sign into any account using their hashed ID, which is not the intended behavior.
(edited 1711055825659)