E-Arogya

23 -Email addresses disclosed
CWE : CWE-200
Description :
email addresses of developers and other individuals (whether appearing on-screen or
hidden within page source) may disclose information that is useful to an attacker; for
example, they may represent usernames that can be used at the application's login, and
they may be used in social engineering attacks against the organization's personnel.
Affected Path(s) :
https://earogya.satragroup.in/privacy-policy *-Applicable to entire application
Impact :
Unnecessary or excessive disclosure of email addresses may lead to social engineering
attacks and increase in the volume of spam email received.
Recommendation :
1. Consider removing any email addresses that are unnecessary, or replacing
personal addresses with anonymous mailbox addresses (such as
helpdesk@example.com).
2. Obfuscate the email addresses in such as way that emailaddress@something.in
displayed as emailaddress[at]something[dot]com.
3. To reduce the quantity of spam sent to anonymous mailbox addresses, consider
hiding the email address and instead providing a form that generates the email
server-side, protected by a CAPTCHA if necessary.
Evidence/Proof Of Concept :
Step 1: Email addresses disclosed as shown in below screenshot.