Urgent - Kindly help to solve the serious vulnerability

I am currently developing an app using MIT App Inventor and Google AppScript. The app includes user registration and login features using email and password, which are functioning properly.

However, I have encountered a serious vulnerability where clicking the login button with blank details in the ID and password fields it logs in automatically by displaying the credentials of all registered users so far. I am seeking guidance on how to address this issue.

here's the vulnerability below

Additionally, after a successful login, I would like to display the user's email along with their username individually. How can I achieve this?

I would be more than happy to solve this issue with your help guys..

here's the project below

fix_username.aia (14.5 KB)

function doPost(e) {
var ss = SpreadsheetApp.openById('13FUnFMaNA-8kmLlIg06rlWw3IfXjqLV4a2x6c9wIl2g');
var sh = ss.getSheetByName("Sheet1");
var msg;

if (e.parameter.fn == "getusers" ) {
var loginData = sh.getDataRange().getValues();
var users = ;
for ( var i = 1; i < loginData.length; i++ ) {
msg = JSON.stringify(users);
else if ( e.parameter.fn == "register" ) {
sh.appendRow([e.parameter.email, e.parameter.pass, e.parameter.uname]); // Add username to the row
msg = "user registered";
else if ( e.parameter.fn == "login" ) {
var loginData = sh.getDataRange().getValues();
msg = "user not found";
for ( var i = 0; i < loginData.length; i++ ) {
if ( e.parameter.email == loginData[i][0] && e.parameter.pass == loginData[i][1]) { // Check email and password
msg = JSON.stringify(loginData[i][2]);



else if ( e.parameter.fn == "reset" ) {
var newpass = makePasswd();
var newHash = makeHash(newpass,e.parameter.key);
var loginData = sh.getDataRange().getValues();
for ( var i = 0; i < loginData.length; i++ ) {
if ( e.parameter.email == loginData[i][1]) {
var rngp = sh.getRange(i+1,3);
msg = "password reset";
GmailApp.sendEmail(e.parameter.email,"From AI2 App","Your new password is: " + newpass + "\n\n Use this new password to login.\n\n Thank you.");
return ContentService.createTextOutput(msg);

Someone kindly help to solve this

Somewhere along the line you are not clearing the login data from your non-persistent and persistent variables. Handle this, and, as previously advised, handle the various app departure/exit routes a user might take.

It will not happen automatically, you need to ensure your variables, and tinydb, and anything on the spreadsheet are cleared when the user logs out / leaves the app.

okay Tim, I have solved the issue, Thanks for these info's

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.