Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

PII Exposure via Email Confirmation Link – Email Embedded in Token & Leaked via Wayback Machine

Medium
O
Omise
Submitted None
Actions:
View on HackerOne
Reported by mantu1738

Vulnerability Details

Technical details and impact analysis

Information Disclosure
An email confirmation link used by Omise (dashboard.omise.co) includes the user's email address directly embedded in a token that is visible in the URL. This token has been archived publicly by the Wayback Machine (archive.org), resulting in public exposure of personally identifiable information (PII). ## Steps To Reproduce: 1. Visit an archived page on Wayback Machine containing a confirmation URL: ``` https://dashboard.omise.co/users/confirm_email/BAhbCGkD5+gCVTogQWN0aXZlU3VwcG9ydDo6VGltZVdpdGhab25lWwhJdToJVGltZQ1qVh%2FA51yK3Ak6DW5hbm9fbnVtaQH7Og1uYW5vX2RlbmkGOg1zdWJtaWNybyIHJRA6CXpvbmVJIghVVEMGOgZFRkkiCFVUQwY7C1RJdTsGDWpWH8DnXIrcCTsHaQH7OwhpBjsJIgclEDsKQAlJIiFtYW50dWhhY2tlcm9uZTE3MzhAZ21haWwuY29tBjsLVA==--5d75e1da7fbede4b6285f61f758e5dbed8d62604 ``` 2. Extract the token from the URL. Base64-decode it: ``` import base64 from urllib.parse import unquote import re token = "<Base64_part>" decoded_token = base64.b64decode(unquote(token)) print(re.findall(rb"[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}", decoded_token)) ``` 3. Observe that the token contains a full email address, e.g.,: ***[email protected]*** ## Recommendations - Do not embed PII (email addresses) in tokens - Disallow crawling of sensitive URLs with robots.txt ``` User-agent: * Disallow: /users/confirm_email/ ``` Note: I also tired sending by creating my own account and the url contains the email address in confirmation email. ``` https://dashboard.omise.co/users/confirm_email/BAhbCGkD5+gCVTogQWN0aXZlU3VwcG9ydDo6VGltZVdpdGhab25lWwhJdToJVGltZQ1qVh%2FA51yK3Ak6DW5hbm9fbnVtaQH7Og1uYW5vX2RlbmkGOg1zdWJtaWNybyIHJRA6CXpvbmVJIghVVEMGOgZFRkkiCFVUQwY7C1RJdTsGDWpWH8DnXIrcCTsHaQH7OwhpBjsJIgclEDsKQAlJIiFtYW50dWhhY2tlcm9uZTE3MzhAZ21haWwuY29tBjsLVA==--5d75e1da7fbede4b6285f61f758e5dbed8d62604 [email protected] ``` #POC {F4471309} Thanks @mantu1738 ## Impact - Leaks **PII (email address)** in URL - Publicly archived link on Wayback Machine exposes user identity - Token is easily **Base64-decoded** - Potential **email confirmation abuse** if token is replayable - Risk of **user enumeration** or phishing

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Information Disclosure