Legal Robot: Missing restriction on string size in profile fields

2016-11-06T22:15:55
ID H1:180548
Type hackerone
Reporter arnonymous
Modified 2017-01-20T03:54:03

Description

Security researcher reported that there was no restriction on the amount of text that could be inserted into a user's profile field. The researcher also demonstrated that when the text size was large enough the service was restarted, resulting in a momentary outage in our non-production environment (not high-availability). An internal reproduction showed isolated disruption but no outage in our production environment.