Use of Hard-coded Credentials in cythron/tweango
May 13th 2021
The Django secret key was hard coded in the Github repository which is vulnerable as
https://huntr.dev/bounties/1-other-cythron/Tweango/ accordingly. Since the GitHub public API monitor every single git commit that is made, attacker can still find the key from commit lists.
- => It is better to revoke the secret so that key no longer exist.
- => Repo can be made private.
- => It is better to rewrite git history for permanently removing all evidence of leaks. (optional)
🕵️♂️ Proof of Concept
The key is still exposed.
Attacker can still forge json objects and create csrf as the vulnerability has not been fixed properly.