Hi all,
We received a email from a third party security company that ran an audit:
curl [https://<website>](https://<website>/) > <website>.20230725-1.txt
This command does a get-request from the site and exported to a file.
Now I ran this command to extract the e-mail addresses:
grep -i -o ‘[A-Z0-9._%±]+@[A-Z0-9.-]+.[A-Z]{2,4}’ website.20230725-1.txt > emailAddresses.txt
I extracted 1522 e-mail addresses – I can do something similar with telephone numbers. Over 1100 records.
When I inspected the original get-request, I searched for the word “Token” which gave me this:
editToken&q;:&q;eyJ…=
When I decoded the token I got this:Header: {
“a”: “”,
“s”: “navdemo”,
“i”: “37aba142-5ac8-4544-96ad-baea99d28f30”,
“u”: [https://webportal.<website>.co.za/.](https://webportal.<website>.co.za/)
}
Payload: {}
As you can see above, I did not do anything funny, just did a simple get-request and I managed to extract over 1500 e-mail address, over 1100 telephone numbers (including mobile numbers) and the JWT token.
As the e-mail addresses and contact numbers are not confidential, and displayed on the website, it not that much of a concern.
However, the fact by doing a simple GET request and export to file, I managed to get a lot of e-mail addresses and telephone numbers in one go.
Also, I managed to get the link to the admin/backend/CMS portal for the site as it was in the JWT token.
With the amount of e-mail address and telephone numbers which I got, I can now launch a phishing attack.
Regarding fixing the problem, not sure how they will go about doing it as they will need to look at the source code.
Giving the steps above, I am sure it will help they guys figure out how to remediate the issue.
We are not to worried about the Email/Phone numbers as it is a public facing site and the company loads the data via Squidex.
Our main concern is with the editToken and if access can be obtained via this token ?
Thanks.