Get all instacart emails - missing rate limit on /accounts/register

Hey Instacart team, When signing up for an account, you enter your email. When this email is already in use, the server responds with "{"errors":{"email":["has already been taken"]}}" This in not a problem, but the fact that you could send this request unlimited times is the issue. This way we can easily get a list of all users emails signed up at Instacart. ###PoC Send this POST request to "https://www.instacart.com/accounts/register" >POST /accounts/register HTTP/1.1 Host: www.instacart.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 X-CSRF-Token: /KCdKtn9A4Oaf7/MAlc/ixhz4h4IPuxEWLRBcAg/heMpt3kcLiMYDZ9ZUnLcHtA5SR+fDrJVorqIuO0h9zr/uQ== Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: https://www.instacart.com/ Content-Length: 316 Cookie: build_sha=31340a4bf316c78fff58fe0f5ed3b92ad2c591dc; ahoy_visitor=8ca5f95a-239e-4853-bd06-3f4461c67ae1; ahoy_visit=5493572a-38ab-4bea-ab80-9c005fa2e94b; _instacart_session=__Your_Session_Here__; ajs_user_id=null; ajs_group_id=null; ajs_anonymous_id=%22c00a35c4-3997-4dc9-841c-85655de95dea%22 DNT: 1 Connection: close >user%5Bsource%5D=web&user%5Bremember_me%5D=1&user%5Bzip_code%5D=22222&user%5Bfirst_name%5D=test&user%5Blast_name%5D=test&user%5Bemail%5D=__The_Email_Here__&user%5Bpassword%5D=&read_terms=true&authenticity_token=%2FKCdKtn9A4Oaf7%2FMAlc%2Fixhz4h4IPuxEWLRBcAg%2FheMpt3kcLiMYDZ9ZUnLcHtA5SR%2BfDrJVorqIuO0h9zr%2FuQ%3D%3D The password field is left empty on purpose, so that when the email is not in use, no account will be made. If the email exists, this will be the response: "{"errors":{"email":["has already been taken"],"password":["can't be blank"]}}" When the email doesn't exist in the database, then this will be returned: "{"errors":{"password":["can't be blank"]}}" ###Fix to fix this issue, you could implement an timeout after a number of requests in a period of time. just like it is implemented here: https://www.instacart.com/accounts/password this returns "429 Too Many Requests" when making multiple requests in a short period of time. If you have any questions, feel free to ask them ;) @003random