Secret Key Exposure in API Config Directory

  • I used Github to search for the Secret Key inside the target program Github Repositories. Sadly no positive results were found.
  • I used Google Dorks trying to find any info related to the secret token. Also got negative results.
  • I also checked WaybackUrls and Javascript Files and sadly got negative results.
  • Feb 4, 2021: I sent the report describing the issue that I found.
  • Feb 5, 2021: HackerOne Triage Closed the Report as Informative. Stating that an app is “leaking” these secrets doesn’t necessarily mean that there’s a security risk. And asking me to provide more details if I want my report to be reconsidered.
  • Feb 5, 2021: I provided additional details about my recon process in determining why the Key is Secret to the Program proving how I didn’t find any information related to it based on my second assumption.
  • Feb 5, 2021: HackerOne Triage Forwarded the report to the internal team.
  • Feb 22, 2021: Report got Triaged by HackerOne Triage Team.
  • Feb 26, 2021: Severity Updated to High. Bounty Awarded ($800). Report Resolved & Fix Confirmed.

--

--

--

Cyber Security Specialist | Hacker | Founder & CTO at Cybit Sec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

My talk “Can quantum computers hack your crypto wallet?“ at herCAREER

“WHO’S THE BADASS” — TOP 5 WINNER ANNOUNCEMENT

Robocock UWU set to launch new Token Presale at GemPad

Mapping Your Networks with Marinus

Top 5 Must Read Articles on Data Privacy

OpenSSL: Keys and Certificates

{UPDATE} 零花钱大作战OL-校园养成策略游戏 Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmad Halabi

Ahmad Halabi

Cyber Security Specialist | Hacker | Founder & CTO at Cybit Sec

More from Medium

Integrating Wfuzz with Burp Suite

My Pentest Log -13- (Bypass Renaming on File Upload)

THM’s Alfred — Walkthrough

Going beyond the surface: Vulns that pay well