Rot4tion
NNovu
•Created by Rot4tion on 2/17/2025 in #💬│support
Security Concerns in Novu: Preventing Unauthorized Notification Access
I'm a beginner using Novu, and I have a security-related question. An attacker only needs the
NOVU_APPLICATION_IDENTIFIER and subscriberId to listen to a victim's notifications, and both of these are easily obtainable because NOVU_APPLICATION_IDENTIFIER is exposed on the client side, and subscriberId in SQL databases is often an incrementing number, making it predictable.
Novu's current security solution for this issue is to use subscriberHash when connecting. However, an attacker can modify the client code to connect without including subscriberHash since there is no configuration on Novu's host that enforces a requirement for subscriberHash to be present when users connect.4 replies