The migrate-email endpoint is requiring Email, Username, and Password parameter. The Username parameter value will be queried to _userManager.Users and will returning data to user variable, if user variable contain null value, the application will return bad request with “Invalid username” message, which is similar to user doesn’t exist message.
This bad request message can be used for user enumeration, with the asumption if an Username parameter value using the valid username, the backend will returing the different message.
- Email parameter with any email value
- Username parameter with any value
- Password parameter with any value