PinchTab API Token Exposure Vulnerability via URL Query Parameter

A vulnerability in PinchTab versions 0.7.8 through 0.8.3 allows API tokens to be sent via a 'token' URL query parameter, in addition to the 'Authorization' header. This query-string token can be exposed through various means, such as reverse proxy access logs, browser history, shell history, clipboard history, and tracing systems that capture full URLs. The issue arises from an unsafe credential transport pattern, rather than a direct authentication bypass, and only affects deployments where a token is configured and the query-parameter form is used.

Impact

The vulnerability leads to the exposure of a valid API token through unsafe URL-based transport, increasing the risk of credential compromise via systems that record full request URIs. Additionally, the first-party dashboard flow in PinchTab v0.8.3 generated and consumed tokenized URLs, further increasing the likelihood of exposure.

Reproduction

To reproduce this vulnerability, first authenticate a PinchTab server instance using a token via the query parameter in the URL. Then, access a dashboard URL generated by the PinchTab setup wizard that includes the token in the query string. This URL can be copied and pasted, which will transfer the token into clipboard history, or it can be accessed through browser history or bookmarks. The token will also be logged if the request goes through a reverse proxy that records full URLs.

Remediation

Users should update to PinchTab version 0.8.4 or later, which removes query-string token authentication and requires safer header- or session-based authentication flows. Additionally, users are advised to rotate tokens if they have previously used query-parameter authentication.