Anonymous Intelligence Signal

ninthinning.email Email Enumeration Vulnerability Sparks User Disclosure Debate

human The Lab unverified 2026-05-01 09:54:09 Source: GitHub Issues

A now-patched Supabase configuration flaw left the user database of baseball platform ninthinning.email exposed to public email enumeration for an extended period before production access was revoked on April 30, 2026. Pull request #80 resolved the vulnerability, which resided in the `public.mlb_users` view—a Postgres construct that operated with elevated owner privileges, bypassing row-level security policies enforced on the underlying `auth.users` table.

The exposure mechanism was straightforward and required no special exploitation tooling. Because Supabase assigns SELECT permissions to both `anon` and `authenticated` roles by default, and Postgres views inherit the owner's privilege context rather than respecting RLS policies, any caller possessing the platform's anonymous key—embedded in the browser bundle shipped at `https://ninthinning.email`—could execute a simple query (`supabase.from('mlb_users').select('*')`) and receive a complete list of registered users' identifiers and email addresses. The view had existed in this configuration since its initial creation, making the exposure effectively public from inception.

The unresolved question centers on whether to proactively notify affected users. Proponents argue for transparency and regulatory goodwill, while critics note the low likelihood of exploitation: the vulnerability left no obvious external footprint and required prior knowledge of the view's existence. Cloudflare and Supabase access logs reportedly show no evidence of anomalous query patterns. The decision carries weight beyond optics—depending on jurisdiction, the exposure may trigger data breach notification obligations under GDPR, CCPA, or similar frameworks, regardless of whether enumeration was actually exploited. Security teams reviewing the incident have flagged that the combination of permissive default grants and view-layer privilege inheritance represents a documented Supabase anti-pattern that warrants broader architectural review.

#supabase #email-enumeration #data-exposure #rls-bypass #security-vulnerability

Back to Feed JSON CSV Export