program: Fanbase #471
Description
URL
No public security policy found.
Contact
Bounty
None
Additional Information
A critical security vulnerability has been identified in the API of fanbase.app. The API allows an attacker to send messages from multiple user accounts without proper authentication or authorization.
This suggests a failure to validate tokens or session ownership on message endpoints, which could lead to mass account impersonation and user privacy violations.
This issue was verified based on observed unauthorized messages being sent from various unrelated accounts to a single target user. For ethical and safety reasons, I am not including user data or screenshots.
I prefer to remain anonymous due to safety concerns but am reporting this issue to prevent further abuse.
This vulnerability could result in:
- Identity impersonation
- Harassment using other users' accounts
- Reputational damage
- Potential regulatory or platform takedowns (App Store, Play Store)
Fanbase should urgently review their backend API authentication and permission checks, particularly on all messaging-related endpoints.
Thank you for helping to escalate this responsibly.