Vulnerability Summary
An exposed .env file on the company’s website publicly revealed sensitive credentials, including SMTP, database, AWS, and Stripe keys. This allowed full access to the admin email account, potential misuse of customer orders, voucher codes, and financial data.
While reviewing certification prices on the company's website via a mobile device, I conducted a basic security test by appending /.env to the URL:
https://company.com/.env
The file was accessible.
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In