Possible Security Concerns with `editToken`

Hi all,

We received a email from a third party security company that ran an audit:

curl [https://<website>](https://<website>/) > <website>.20230725-1.txt

This command does a get-request from the site and exported to a file.

Now I ran this command to extract the e-mail addresses:

grep -i -o ‘[A-Z0-9._%±]+@[A-Z0-9.-]+.[A-Z]{2,4}’ website.20230725-1.txt > emailAddresses.txt

I extracted 1522 e-mail addresses – I can do something similar with telephone numbers. Over 1100 records.

When I inspected the original get-request, I searched for the word “Token” which gave me this:

When I decoded the token I got this:

Header: {

“a”: “”,

“s”: “navdemo”,

“i”: “37aba142-5ac8-4544-96ad-baea99d28f30”,

“u”: [https://webportal.<website>.co.za/.](https://webportal.<website>.co.za/)


Payload: {}

As you can see above, I did not do anything funny, just did a simple get-request and I managed to extract over 1500 e-mail address, over 1100 telephone numbers (including mobile numbers) and the JWT token.

As the e-mail addresses and contact numbers are not confidential, and displayed on the website, it not that much of a concern.

However, the fact by doing a simple GET request and export to file, I managed to get a lot of e-mail addresses and telephone numbers in one go.

Also, I managed to get the link to the admin/backend/CMS portal for the site as it was in the JWT token.

With the amount of e-mail address and telephone numbers which I got, I can now launch a phishing attack.

Regarding fixing the problem, not sure how they will go about doing it as they will need to look at the source code.

Giving the steps above, I am sure it will help they guys figure out how to remediate the issue.

We are not to worried about the Email/Phone numbers as it is a public facing site and the company loads the data via Squidex.
Our main concern is with the editToken and if access can be obtained via this token ?


I do not understand the issues with the email address. But the edit token does not contain any valuable information:

The relevant code is this:

For assets and contents.

As you can see we only store public information in the token.

1 Like