Unprotected Storage of Credentials in hstm/dotfiles

Valid
Reported on May 28th 2021

✍️ Description

Owner of this Github repo has inadvertently committed their .pgpass file which contains login information for a localhost PostgreSQL server. We suggest the owner of this Github repo deletes the file from the repo, adds .pgpass to their .gitignore and changes their localhost PostgreSQL password so this cannot be chained with other vulnerabilities to expose data.

🕵️‍♂️ Proof of Concept

Visit https://github.com/hstm/dotfiles/blob/main/macos/.pgpass

💥 Impact

This vulnerability is capable of exposing localhost PostgreSQL credentials and whatever information is associated with said database(s).