Shopware Store API Login Endpoint User Enumeration Vulnerability

A user enumeration vulnerability has been identified in the Shopware Store API login endpoint, specifically in versions prior to 6.7.8.1 and 6.6.10.15. The issue arises because the endpoint returns different error codes based on whether the submitted email address belongs to a registered customer or is unknown. This discrepancy allows an unauthenticated attacker to enumerate valid customer accounts by probing email addresses. While the storefront login controller handles errors uniformly, the Store API exposes distinct error codes, creating an inconsistent defense that can be exploited.

Impact

Exploitation of this vulnerability allows for customer email enumeration, confirming whether specific email addresses are registered. This could lead to targeted phishing attacks, optimization of credential stuffing efforts, and a violation of privacy by revealing an individual's association with a specific store.

Remediation

To address this vulnerability, it is recommended to unify error handling in the Store API login route by catching distinct exceptions and returning a generic error response, similar to the existing storefront login controller. Additionally, the registration endpoint should be updated to prevent email existence leakage by returning a generic success response and notifying the user via email.