Unprotected Storage of Credentials in hstm/dotfiles


Reported on

May 28th 2021

✍️ Description

Owner of this Github repo has inadvertently committed their .pgpass file which contains login information for a localhost PostgreSQL server. We suggest the owner of this Github repo deletes the file from the repo, adds .pgpass to their .gitignore and changes their localhost PostgreSQL password so this cannot be chained with other vulnerabilities to expose data.

🕵️‍♂️ Proof of Concept

Visit https://github.com/hstm/dotfiles/blob/main/macos/.pgpass

💥 Impact

This vulnerability is capable of exposing localhost PostgreSQL credentials and whatever information is associated with said database(s).

Jamie Slome
a year ago


I have contacted the maintainer via a GitHub Issue and we will await a response from them.

Jamie Slome validated this vulnerability a year ago
geeknik has been awarded the disclosure bounty
The fix bounty is now up for grabs
to join this conversation