Use of Hard-coded Credentials in cythron/tweango


Reported on

May 13th 2021

✍️ Description

The Django secret key was hard coded in the Github repository which is vulnerable as accordingly. Since the GitHub public API monitor every single git commit that is made, attacker can still find the key from commit lists.

  • => It is better to revoke the secret so that key no longer exist.
  • => Repo can be made private.
  • => It is better to rewrite git history for permanently removing all evidence of leaks. (optional)

🕵️‍♂️ Proof of Concept

The key is still exposed.

💥 Impact

Attacker can still forge json objects and create csrf as the vulnerability has not been fixed properly.

3 years ago


Nice catch! I will fix this by randomizing the tokens during deployment. Patch is underway. Thank you.

to join this conversation