Exposure of Sensitive Information to an Unauthorized Actor in cjferna/photo-services-mashup

Valid

Reported on

Feb 4th 2022


Description

Please enter a description of the vulnerability.

Vulnerable URL: https://github.com/cjferna/Photo-Services-Mashup/blob/fdc12e0671e035bac00cc46ee67d456540444460/src/es/um/taw/rest/imagga/Imagga.java

It contains sensitive API Keys and secret keys.

Proof of Concept


private final String URL = "https://api.imagga.com/v1/tagging";
    
    private final String API_KEY = "acc_d3a72c1921822a1";
    private final String API_SECRET = "afeade1da6cb5bd2e762c75369cacdb5";


// PoC.js
var payload = ...

Impact

This vulnerability is capable of...

We are processing your report and will contact the cjferna/photo-services-mashup team within 24 hours. 4 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4 months ago
We have contacted a member of the cjferna/photo-services-mashup team and are waiting to hear back 4 months ago
cjferna validated this vulnerability 4 months ago
Akash has been awarded the disclosure bounty
The fix bounty is now up for grabs
cjferna confirmed that a fix has been merged on bca5f8 4 months ago
The fix bounty has been dropped
cjferna
4 months ago

Maintainer


Code has been fixed and the keys published have been withdrawn.

to join this conversation