- Status Closed
-
Assigned To
cbay - Private
Opened by Drakon - 05.02.2025
Last edited by cbay - 06.02.2025
FS#128 - Sensitive Data Exposure via Wayback Machine Archive
Report Summary:
I discovered a potential security issue where sensitive data is accessible via a URL archived by the Wayback Machine. The URL exposes an invoice containing personal and financial information, which could be misused if accessed by unauthorized individuals.
Details of the Issue:
1.Source of URL: Wayback Machine (Internet Archive)
3.Exposed Data:
4.Personal Information: Name (Simon Amour), email address (simondiligues@outlook.com).
5.Financial Information: Invoice amount (€100.00), bank account details (IBAN: FR76 1027 8060 4100 0205 8810 110, BIC: CMCIFR2A).
6.Service Details: Public Cloud service (10 GB) for the period 13/07/2022 to 27/07/2023.
7.Reference Numbers: Invoice reference (220713337102), user ID (150041), and token (1657692793-a13e927142b2d5d7f427).
Steps to Reproduce:
1.Access the URL via the Wayback Machine.
2.The PDF invoice containing sensitive data is directly accessible without additional authentication.
Impact:
This issue could lead to unauthorized access to sensitive personal and financial information, potentially resulting in identity theft, financial fraud, or other malicious activities. The fact that this data is archived on a public service like the Wayback Machine increases the risk of exposure.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
Invoice links sent in emails indeed do not require any authentication as it's only an invoice. If a user leaks such a link, it means that anyone can see their invoice.
Can you describe a scenario where having an invoice lets you do such things?
Kind regards,
Cyril
Hello Team,
Thank you for your response. While I understand that invoice links are typically accessible without authentication, the exposure of such links (e.g., via the Wayback Machine) could still pose risks. For example:
1.Social Engineering: Attackers could use the personal and financial details in the invoice to craft targeted phishing attacks.
2.Financial Fraud: Bank account details (IBAN/BIC) could be misused for unauthorized transactions or fraud.
3.Identity Theft: Personal information (name, email) could be used to impersonate the individual.
Even though invoices are less sensitive, their exposure could still lead to misuse. It might be worth considering additional safeguards, such as expiring links or restricting access to archived content.
Let me know if you need further details!
Best regards,
Drakon
Hello Team,
Additionally, I noticed that the token in the URL was not expired, allowing the invoice to be accessed through the Wayback Machine even after a significant amount of time. This lack of token expiration increases the risk of unauthorized access to sensitive data.
Best regards,
Drakon
Hello Cyril,
Could you please confirm whether the token exhibits a non-expiring behavior from your end?
Best regards,
Drakon
I can confirm that those links do not expire on purpose, as many clients still need to access their invoices much longer after the mail was sent.
We've added a robots.txt to disallow archiving such links.
But anyway, if you make links to your invoices public, we cannot be held responsible.
Kind regards,
Cyril