CoinDesk API Error Exposes Privileged Token

We discussed this vulnerability during Episode 121 on 21 February 2022

This just comes down to overly verbose error message. The Coindesk website has an API endpoint that normally serves a list of published articles. That endpoint works as a simple proxy to the arcpublishing API. When the arcpublishing API returned with a status code other than 200 (Success) it would print basically all the information a developer might want, stack trace, configuration information, request info. This includes all the headers used in the request, including the Authorization header which contained the token used to authenticate with arcpublishing. Using that token manually gave basically full access to the arcpublishing API.