Align Technology My Invisalign App Contentful CDA Tokens Exposure Vulnerability

A vulnerability exists in Align Technology's My Invisalign App for Android, specifically in version 3.12.4. The issue arises from hard-coded Contentful Delivery API credentials, including the CDA token, in the client-side code. This vulnerability allows an attacker to extract these credentials and access sensitive data by querying the Contentful CDN API. The exposed information includes business configurations, marketing strategies, multimedia assets, and internal documentation, which could lead to significant leakage of trade secrets and intellectual property.

Impact

Exploitation of this vulnerability allows for unauthorized access to hard-coded Contentful Delivery API credentials, enabling extraction of sensitive data from both master and release environments. This access could result in a comprehensive leakage of trade secrets and intellectual property.

Reproduction

The vulnerability can be reproduced by extracting the hard-coded Contentful Delivery API credentials from the My Invisalign App version 3.12.4 on Android. Once these credentials are obtained, they can be used to query the Contentful CDN API and access sensitive data.