Unprotected Storage of Credentials in cythron/tweango

Valid

Reported on

May 12th 2021

✍️ Description

Django secret key is pushed into Github repository. This is used to sign Json objects, create hashes and generate Csrf tokens.

🕵️‍♂️ Proof of Concept

https://stackoverflow.com/questions/15170637/effects-of-changing-djangos-secret-key/15383766?noredirect=1#comment21743494_15383766

💥 Impact

Attacker will be able to forge json objects and create csrf tokens.

References

https://github.com/cythron/Tweango/blob/master/twitter/settings.py

cythron

commented 2 years ago

Maintainer

Although I made this project for learning purposes and have not hosted it online, I was unaware of uploading the secret keys to GitHub. Thanks for pointing it out!

cythron

commented 2 years ago

Maintainer

Thanks again! The issue is now resolved.

to join this conversation

cythron

commented 2 years ago

Maintainer

Although I made this project for learning purposes and have not hosted it online, I was unaware of uploading the secret keys to GitHub. Thanks for pointing it out!

cythron

commented 2 years ago

Maintainer

Thanks again! The issue is now resolved.

to join this conversation