Security vulnerabilities

Attached to Project: Security vulnerabilities
Opened by jignesh01 - 07.02.2025
Last edited by hdegorce - 10.02.2025

Description:
The invoice issued by AlwaysData contains sensitive personal and financial information, which is publicly accessible through a web archive. This includes:

Personal details of the customer (Name: Simon Amour, Email: simondiligues@outlook.com).
Banking information such as the IBAN and BIC codes.
The invoice total and payment details.

Steps to Reproduce:
1.Access the : https://web.archive.org/web/20220713065916/https://admin.alwaysdata.com/billing/337102/pdf/?user_id=150041&token=1657692793-a13e927142b2d5d7f427

2.View the invoice, noting that it contains unredacted sensitive information, such as:
IBAN: FR76 1027 8060 4100 0205 8810 110
BIC: CMCIFR2A
Customer's Full Name: Simon Amour
Customer’s Email: simondiligues@outlook.com

3.The invoice is accessible without authentication, allowing any user to view it.

Impact:
This exposure of sensitive financial information could lead to identity theft, fraud, and financial loss. Unauthorized access to such data can also result in reputation damage for both the service provider (AlwaysData) and the customer (Simon Amour).

Suggested Remediation:
Remove the exposed document from the public web archive immediately.
Redact sensitive details such as IBAN, BIC, and personal information from invoices before uploading them to any public platform.
Implement access control mechanisms so that sensitive data is only accessible by authorized users.
Regularly audit publicly accessible data and ensure no personal or sensitive information is exposed.