Capgo - Information Disclosure via Unauthenticated /updates defaultChannel Parameter

An unauthenticated attacker sends a POST request to the `/updates` endpoint with a caller-controlled `defaultChannel` parameter. The endpoint resolves the channel name before enforcing privacy checks, so the attacker can distinguish valid private channels from nonexistent ones based on differences in the error, version, and major fields of the JSON response [ref_id=1]. For valid private channels, the response also reveals the assigned bundle version and configuration details such as whether the platform is disabled or whether the update would be a major-version upgrade [CWE-200].

The vulnerability resides in `capgo/supabase/functions/_backend/utils/pg.ts` (lines 709–710) where the `defaultChannel` parameter is resolved by `app_id` and channel name without requiring the channel to be public or self-settable, and in `capgo/supabase/functions/_backend/utils/update.ts` (lines 165–173, 226–233, 243–250) where the resolved channel is used to generate denial responses that leak channel-specific metadata before the privacy restriction is enforced at lines 253–259 [ref_id=1].

The advisory does not include a patch diff, but the recommended fix is to move the privacy/self-set restriction check before the channel resolution result is used to generate denial responses [ref_id=1]. By enforcing access controls on the resolved channel before any branch-specific metadata is returned, the `/updates` endpoint would no longer distinguish between nonexistent channels and private channels, and would not leak version or configuration state for channels the caller is not authorized to see.