Security Disclosure: TemplateMonster.com User API – Exposure of Personal Data

Security Disclosure: TemplateMonster.com User API – Exposure of Personal Data

Summary:
A vulnerability in the TemplateMonster.com User API allows attackers to check whether a specific email address is registered on the platform. For registered users, the API also exposes the full name of the customer. This poses a significant privacy risk and violates GDPR requirements.

Affected Endpoint:

GET https://users.templatemonster.com/api/v1/users/lookup?login=<email>&expand=authClients

Vulnerability Details:
By querying the endpoint above, an attacker can determine whether an email address is associated with a registered account. For existing users, the API also returns the customer’s full name. Example:

https://users.templatemonster.com/api/v1/users/[email protected]&expand=authClients

The response contains:

  • User registration status
  • Full name of the registered user

Additional Issues:
At the same time as the initial discovery on September 11, 2025, a CORS error was also identified, preventing registered users from signing in. The vulnerability and CORS issue were reported to TemplateMonster on September 11, 2025, but the company did not even send an acknowledgment email. While the CORS error was eventually fixed, the security vulnerability in the API remains unaddressed, highlighting a very poor security and reporting management process at TemplateMonster.

Impact:

  1. Privacy Risk & GDPR Non-Compliance:
    The API exposes personal data without authentication or user consent. Full names are considered personal data under GDPR. Public exposure constitutes a violation of data protection regulations.
  2. User Enumeration & Credential-Stuffing Risk:
    Attackers can pre-check whether email addresses from leaked datasets are registered on TemplateMonster, facilitating targeted attacks, phishing, and credential-stuffing attempts.
  3. Data Enrichment for Malicious Purposes:
    Exposure of full names allows attackers to enrich existing datasets with real identities, increasing the risk of identity theft, social engineering, and other malicious activity.

Severity: High

Recommended Mitigations:

  • Restrict access to the user lookup API endpoint to authenticated users only.
  • Mask or omit personal data such as full names for unauthenticated requests.
  • Implement rate limiting to mitigate automated enumeration attacks.
  • Conduct a GDPR compliance review to ensure proper handling of personal data.

Disclosure Timeline:

  • September 11, 2025 – Initial discovery of the API vulnerability and CORS error; reported to TemplateMonster. No acknowledgment received.
  • CORS error – subsequently fixed; API vulnerability remains.
  • September 15, 2025 – Follow-up report with detailed information on user data exposure.
  • September 20, 2025 – API vulnerability still not fixed

Leave a Reply

Your email address will not be published. Required fields are marked *