FS#211 : Insecure Cache-Control Leading to View Email, Password and User Information.

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 11.09.2025
Last edited by cbay - 11.09.2025

FS#211 - Insecure Cache-Control Leading to View Email, Password and User Information.

#Insecure Cache-Control Leading to View Email, Password and User Information in https://www.alwaysdata.com/en/marketplace/ (All Applications).

Hello Team, I hope you are doing well. I found Insecure Cache-Control Leading to View Email, Password and User Information in https://www.alwaysdata.com/en/marketplace/ (All Applications).

Steps to Reproduce:

1. Go to https://www.alwaysdata.com/en/marketplace/.
2. Click on Install any application button you want to install.
3. Fill the form and submit the request.
4. It will go https://admin.alwaysdata.com/user/validation-needed/.
5. Press Back Button and you can see all of these information you are submitted these are shown in the form.

# Impact:

In a PC scenario in an office or in a library or in a coffee shop or such places allow for an attacker to exploit this vulnerability (since the amount of pages visited after visiting doesn't matter). Also it is very easy to get access to a laptop, so this is a likable scenario, and once it happens the attacker has full control over the victim's app data since he/she can use the account.

# Note:

Tested in Chrome latest version, Firefox and Microsoft Edge.

Thank You,

Waleed Anwar

Closed by cbay
11.09.2025 12:48
Reason for closing: Fixed

Comments (4)
Related Tasks (0/0)

cbay commented on 11.09.2025 12:48

Hello,

Although I believe that's not a vulnerability (at least on our side), we've modified the Cache-Control header on that page to prevent browsers from caching passwords.

You can open a support ticket and claim a (small) bounty.

Kind regards,
Cyril

waloodi_109 commented on 11.09.2025 15:13

Ok sir thnks

waloodi_109 commented on 13.09.2025 08:43

I opened a ticket to collect my bounty in alwaysdata support panel, but no one is responding. Kindly issue my reward.

Thank You,

Waleed Anwar

waloodi_109 commented on 15.09.2025 09:56

Any update?

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task