## GitHub Issue: Critical Email Enumeration Vulnerability in Backoffice Login Flow
A critical security flaw has been identified in the backoffice login system, exposing a significant email enumeration vulnerability. The current implementation in `app/backoffice/login/page.tsx` directly queries the users table by email address, a practice that diverges from the more secure tenant login pattern and creates a direct vector for attackers to confirm the validity of user emails within the system.

The vulnerability is isolated to the backoffice login flow, specifically within lines 36-43 of the `app/backoffice/login/page.tsx` file. The code uses `.eq("email", email)` to perform the lookup, which is flagged as a high-risk pattern. In contrast, the tenant login correctly queries by a user's unique identifier (`authData.user.id`), which does not leak sensitive information. The issue report explicitly recommends aligning the backoffice logic with the tenant pattern by changing the query to `.eq("id", authData.user.id)`.

This discrepancy is not a minor oversight but a critical security gap. Email enumeration is a foundational attack vector, enabling threat actors to map valid accounts, which is often the first step in targeted credential stuffing, phishing campaigns, or more sophisticated account takeover attempts. The vulnerability's priority is marked as critical (🔴), underscoring the immediate risk it poses to user privacy and system security by potentially exposing the entire registered user base to reconnaissance.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, authentication, privacy, code-review
- **Credibility**: unverified
- **Published**: 2026-04-17 01:22:39
- **ID**: 68478
- **URL**: https://whisperx.ai/en/intel/68478