๐ Genasys Technologies: Missing redaction on a disclosed report
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Hi team, I wasn't sure if this worth a report, but I thought that you should be aware and HackerOne's support referred me to submit a report. I ran into a diclosed report where the reporter asked to redact his email but we can still extract his email and more info about his google account from the JWT token. The report: https://hackerone.com/reports/729960 The data from the JWT: { "name": "Herald Big Deck", "picture": "https://lh3.googleusercontent.com/-mPrAtw3rhXQ/AAAAAAAAAAI/AAAAAAAAAAA/ACHi3rdj1gqwV2ceXlY-7Ztz_RUQ-YcQ_A/photo.jpg", "iss": "https://securetoken.google.com/genasys-staging", "aud": "genasys-staging", "auth_time": 1572972711, "user_id": "VGKMK0fDRZOYSw14IpwHZPOQ4Ol2", "sub": "VGKMK0fDRZOYSw14IpwHZPOQ4Ol2", "iat": 1572972712, "exp": 1572976312, "email": "โโโโโโโโโโ", "email_verified": true, "firebase": { "identities": { "google.com": [ "โโโโโโโโ" ], "email": [ "โโโโ" ] }, "sign_in_provider": "google.com" } } Impact Private information on the researcher was... ...