# humand-web — Access tokens exposed in URL path parameters across mobile routes
STATUS: DRAFT
program: humand-web | platform: huntr | repo: HumandDev/humand-web | commit: 2026-02-13-scan

````
Repository URL: https://github.com/HumandDev/humand-web
Package Manager: npm
CVSS: Attack Vector: Network
Title: humand-web — Access tokens exposed in URL path parameters across mobile routes
Description:

## huntr Form Fields

```
Package Manager: npm
Version Affected: latest frontend build (observed in 2026-02-13 scan)
Vulnerability Type: Use of GET Request Method With Sensitive Query Strings
CVSS:
  Attack Vector: Network
  Attack Complexity: Low
  Privileges Required: None
  User Interaction: Required
  Scope: Unchanged
  Confidentiality: High
  Integrity: High
  Availability: None
Title: Access tokens are accepted in URL path and persisted as active session
```

### Description

# Description

Several mobile routes include `:accessToken` directly in URL paths:

- `/events-nemak-mobile/:accessToken`
- `/org-chart-mobile/:accessToken/:id`
- `/scorm-courses-mobile/:accessToken`
- `/recognitions-nemak-mobile/:accessToken`

Additionally, SCORM folder logic consumes this URL token and stores it as active local session state:

```ts
if (accessToken && isMobile) {
  encryptStorage.setItem('accessToken', accessToken);
}
```

Even if access tokens are shorter-lived than refresh tokens, URL exposure still leaks active bearer credentials through logs/history/referrer chains and telemetry tooling.

# Proof of Concept

1. Navigate to one affected route with a valid access token in path.
2. Observe full token in browser history and request URL handling.
3. Copy token from leaked URL and replay API request with `Authorization: Bearer <token>`.
4. Confirm unauthorized reuse while token remains valid.

### Impact

Token leakage allows session hijack for token lifetime, unauthorized data access, and user action impersonation. Exposure frequency rises in shared devices, MDM logging, or analytics-heavy environments.

### Occurrences

```
Permalink: <private-repo>/src/routes.tsx#L1298
Description: events mobile route embeds access token in URL

Permalink: <private-repo>/src/routes.tsx#L2476
Description: org-chart mobile route embeds access token in URL

Permalink: <private-repo>/src/routes.tsx#L2485
Description: scorm-courses mobile route embeds access token in URL

Permalink: <private-repo>/src/routes.tsx#L2494
Description: recognitions mobile route embeds access token in URL

Permalink: <private-repo>/src/pages/dashboard/scorm/Folders.tsx#L64-L65
Description: URL token is persisted as active access token in client storage
```

### References

```
URL: https://cwe.mitre.org/data/definitions/200.html
Name: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

URL: https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url
Name: OWASP - URL token exposure risks
```
````