Users or API keys with permission to expire verification codes could have expired codes that belonged to another realm if they guessed the UUID.
v1.1.2+
There are no workarounds, and there are no indications this has been exploited in the wild. Verification codes can only be expired by providing their 64-bit UUID, and verification codes are already valid for a very short period of time (thus the UUID rotates frequently).
Contact [email protected]
CPE | Name | Operator | Version |
---|---|---|---|
github.com/google/exposure-notifications-verification-server | lt | 1.1.2 |