Dark C0d3rs

Medium
resolved

PII Exposure via Email Confirmation Link – Email Embedded in Token & Leaked via Wayback Machine

Bug reported by Mantosh Sah was disclosed at August 23, 2025, 5:29 am | Information Disclosure

An email confirmation link used by Omise (dashboard.omise.co) included the user's email address directly embedded in a token that was visible in the URL. This token was archived publicly by the Wayback Machine (archive.org), resulting in public exposure of personally identifiable information (PII).

hashXploiter

PII Exposure via Email Confirmation Link – Email Embedded in Token & Leaked via Wayback Machine