Secret Key Exposure in API Config Directory

  • I used Github to search for the Secret Key inside the target program Github Repositories. Sadly no positive results were found.
  • I used Google Dorks trying to find any info related to the secret token. Also got negative results.
  • I also checked WaybackUrls and Javascript Files and sadly got negative results.
  • Feb 4, 2021: I sent the report describing the issue that I found.
  • Feb 5, 2021: HackerOne Triage Closed the Report as Informative. Stating that an app is “leaking” these secrets doesn’t necessarily mean that there’s a security risk. And asking me to provide more details if I want my report to be reconsidered.
  • Feb 5, 2021: I provided additional details about my recon process in determining why the Key is Secret to the Program proving how I didn’t find any information related to it based on my second assumption.
  • Feb 5, 2021: HackerOne Triage Forwarded the report to the internal team.
  • Feb 22, 2021: Report got Triaged by HackerOne Triage Team.
  • Feb 26, 2021: Severity Updated to High. Bounty Awarded ($800). Report Resolved & Fix Confirmed.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmad Halabi

Ahmad Halabi

Cyber Security Specialist | Hacker | Founder at Cybit Sec | Managing Director at Resecurity®.