Unprotected Storage of Credentials in cythron/tweango

Valid

Reported on

May 12th 2021


✍️ Description

Django secret key is pushed into Github repository. This is used to sign Json objects, create hashes and generate Csrf tokens.

🕵️‍♂️ Proof of Concept

https://stackoverflow.com/questions/15170637/effects-of-changing-djangos-secret-key/15383766?noredirect=1#comment21743494_15383766

💥 Impact

Attacker will be able to forge json objects and create csrf tokens.

cythron
7 months ago

Maintainer


Although I made this project for learning purposes and have not hosted it online, I was unaware of uploading the secret keys to GitHub. Thanks for pointing it out!

cythron
7 months ago

Maintainer


Thanks again! The issue is now resolved.