Use of Hard-coded Credentials in cythron/Tweango

Valid
Reported on May 13th 2021

✍️ Description

The Django secret key was hard coded in the Github repository which is vulnerable as https://huntr.dev/bounties/1-other-cythron/Tweango/ accordingly. Since the GitHub public API monitor every single git commit that is made, attacker can still find the key from commit lists.

  • => It is better to revoke the secret so that key no longer exist.
  • => Repo can be made private.
  • => It is better to rewrite git history for permanently removing all evidence of leaks. (optional)

🕵️‍♂️ Proof of Concept

The key is still exposed.

https://github.com/cythron/Tweango/commit/ff8fa1c4216c21518915f5c1662772fc7c7152ca

💥 Impact

Attacker can still forge json objects and create csrf as the vulnerability has not been fixed properly.