Exposure of Sensitive Information to an Unauthorized Actor in cjferna/photo-services-mashup

Valid

Reported on

Feb 4th 2022

Description

Please enter a description of the vulnerability.

Vulnerable URL: https://github.com/cjferna/Photo-Services-Mashup/blob/fdc12e0671e035bac00cc46ee67d456540444460/src/es/um/taw/rest/imagga/Imagga.java

It contains sensitive API Keys and secret keys.

Proof of Concept


private final String URL = "https://api.imagga.com/v1/tagging";
    
    private final String API_KEY = "acc_d3a72c1921822a1";
    private final String API_SECRET = "afeade1da6cb5bd2e762c75369cacdb5";


// PoC.js
var payload = ...

Impact

This vulnerability is capable of...

We are processing your report and will contact the cjferna/photo-services-mashup team within 24 hours. 2 years ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

We have contacted a member of the cjferna/photo-services-mashup team and are waiting to hear back 2 years ago

cjferna validated this vulnerability 2 years ago

Akash has been awarded the disclosure bounty

The fix bounty is now up for grabs

cjferna marked this as fixed in 0.0.1 with commit bca5f8 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

cjferna

commented 2 years ago

Maintainer

Code has been fixed and the keys published have been withdrawn.

to join this conversation