Medium
resolved
resolved
PII Exposure via Email Confirmation Link – Email Embedded in Token & Leaked via Wayback Machine
Bug reported by Mantosh Sah was disclosed at August 23, 2025, 5:29 am | Information Disclosure
An email confirmation link used by Omise (dashboard.omise.co) included the user's email address directly embedded in a token that was visible in the URL. This token was archived publicly by the Wayback Machine (archive.org), resulting in public exposure of personally identifiable information (PII).
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
