In the Android application com.aligntech.myinvisalign.emea version 3.12.4, Contentful Delivery API credentials (space ID and CDA token) are hardcoded in the client-side code. An attacker who extracts these credentials can directly query the Contentful CDN API to read all entries from both the master (production) and release (pre-production) environments. This exposes sensitive business configurations, marketing strategies, multimedia assets, and help documentation. By analyzing this data, the attacker can gain comprehensive insights into the app's business logic, go-to-market plans, technical release roadmap, and internal knowledge base, leading to severe and multifaceted leakage of trade secrets and intellectual property.
com/aligntech/myinvisalign/BuildConfig.java:
master environment.release environment to retrieve pre‑release content.poc_com_aligntech_myinvisalign_emea.mp4
The video demonstrates successful retrieval of entries from both the master (production) and release (pre-production) environments, confirming the exposure of sensitive business content across all stages.
The Contentful Delivery API (CDA) token serves as a read‑only credential that authenticates requests to retrieve content from a specific space and environment. Hardcoding this token alongside the space ID in a client‑side application enables anyone who extracts them to directly query Contentful's CDN API without any additional authentication. This grants unauthorized access to all entries, assets, and content structures across any environment (e.g., master and release) that the token has permissions for, resulting in exposure of sensitive business logic, marketing strategies, and intellectual property.
Remove the hardcoded Contentful CDA token and space ID from the client, revoke the compromised token in the Contentful dashboard, and route all content retrieval requests through a secure backend proxy. The proxy should authenticate incoming requests, enforce rate limiting, store credentials securely, and forward only authorized queries to Contentful's CDN API.
List entries from master environment
curl -H "Authorization: Bearer B4CihzPomT7POxUYdjMvuHGH6HfksDNS9cVZOsh-0gM" "[<https://cdn.contentful.com/spaces/52mltklwsnru/environments/master/entries?limit=10>](<https://cdn.contentful.com/spaces/52mltklwsnru/environments/master/entries?limit=10>)"
List entries from release environment
curl -H "Authorization: Bearer B4CihzPomT7POxUYdjMvuHGH6HfksDNS9cVZOsh-0gM" "[<https://cdn.contentful.com/spaces/52mltklwsnru/environments/release/entries?limit=20>](<https://cdn.contentful.com/spaces/52mltklwsnru/environments/release/entries?limit=20>)"