Urgent - Kindly help to solve the serious vulnerability

MIT App Inventor Help
, , , ,
1

I am currently developing an app using MIT App Inventor and Google AppScript. The app includes user registration and login features using email and password, which are functioning properly.

However, I have encountered a serious vulnerability where clicking the login button with blank details in the ID and password fields it logs in automatically by displaying the credentials of all registered users so far. I am seeking guidance on how to address this issue.

here's the vulnerability below

WhatsApp Image 2024-04-10 at 5.14.24 PM
WhatsApp Image 2024-04-10 at 5.14.24 PM1080×129 13.3 KB

Screenshot 2024-04-10 at 17.31.28
Screenshot 2024-04-10 at 17.31.281920×1069 168 KB

Additionally, after a successful login, I would like to display the user's email along with their username individually. How can I achieve this?

I would be more than happy to solve this issue with your help guys..

here's the project below

fix_username.aia (14.5 KB)

Script
function doPost(e) {
var ss = SpreadsheetApp.openById('13FUnFMaNA-8kmLlIg06rlWw3IfXjqLV4a2x6c9wIl2g');
var sh = ss.getSheetByName("Sheet1");
var msg;

if (e.parameter.fn == "getusers" ) {
var loginData = sh.getDataRange().getValues();
var users = ;
for ( var i = 1; i < loginData.length; i++ ) {
users.push(loginData[i][0]);
}
msg = JSON.stringify(users);
}
else if ( e.parameter.fn == "register" ) {
sh.appendRow([e.parameter.email, e.parameter.pass, e.parameter.uname]); // Add username to the row
msg = "user registered";
}
else if ( e.parameter.fn == "login" ) {
var loginData = sh.getDataRange().getValues();
msg = "user not found";
for ( var i = 0; i < loginData.length; i++ ) {
if ( e.parameter.email == loginData[i][0] && e.parameter.pass == loginData[i][1]) { // Check email and password
msg = JSON.stringify(loginData[i][2]);

  }
}

}

else if ( e.parameter.fn == "reset" ) {
var newpass = makePasswd();
var newHash = makeHash(newpass,e.parameter.key);
var loginData = sh.getDataRange().getValues();
for ( var i = 0; i < loginData.length; i++ ) {
if ( e.parameter.email == loginData[i][1]) {
var rngp = sh.getRange(i+1,3);
rngp.setValue(newHash);
msg = "password reset";
}
}
GmailApp.sendEmail(e.parameter.email,"From AI2 App","Your new password is: " + newpass + "\n\n Use this new password to login.\n\n Thank you.");
}
return ContentService.createTextOutput(msg);
}

2

Someone kindly help to solve this

3

Somewhere along the line you are not clearing the login data from your non-persistent and persistent variables. Handle this, and, as previously advised, handle the various app departure/exit routes a user might take.

It will not happen automatically, you need to ensure your variables, and tinydb, and anything on the spreadsheet are cleared when the user logs out / leaves the app.

5

okay Tim, I have solved the issue, Thanks for these info's

6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.