Use of Hard-coded Credentials in cythron/tweango

Valid

Reported on

May 13th 2021


✍️ Description

The Django secret key was hard coded in the Github repository which is vulnerable as https://huntr.dev/bounties/1-other-cythron/Tweango/ accordingly. Since the GitHub public API monitor every single git commit that is made, attacker can still find the key from commit lists.

  • => It is better to revoke the secret so that key no longer exist.
  • => Repo can be made private.
  • => It is better to rewrite git history for permanently removing all evidence of leaks. (optional)

🕵️‍♂️ Proof of Concept

The key is still exposed.

https://github.com/cythron/Tweango/commit/ff8fa1c4216c21518915f5c1662772fc7c7152ca

💥 Impact

Attacker can still forge json objects and create csrf as the vulnerability has not been fixed properly.

cythron
6 months ago

Maintainer


Nice catch! I will fix this by randomizing the tokens during deployment. Patch is underway. Thank you.