Exposure of Sensitive Information to an Unauthorized Actor in cjferna/photo-services-mashup


Reported on

Feb 4th 2022


Please enter a description of the vulnerability.

Vulnerable URL: https://github.com/cjferna/Photo-Services-Mashup/blob/fdc12e0671e035bac00cc46ee67d456540444460/src/es/um/taw/rest/imagga/Imagga.java

It contains sensitive API Keys and secret keys.

Proof of Concept

private final String URL = "https://api.imagga.com/v1/tagging";
    private final String API_KEY = "acc_d3a72c1921822a1";
    private final String API_SECRET = "afeade1da6cb5bd2e762c75369cacdb5";

// PoC.js
var payload = ...


This vulnerability is capable of...

We are processing your report and will contact the cjferna/photo-services-mashup team within 24 hours. 2 years ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
We have contacted a member of the cjferna/photo-services-mashup team and are waiting to hear back 2 years ago
cjferna validated this vulnerability 2 years ago
Akash has been awarded the disclosure bounty
The fix bounty is now up for grabs
cjferna marked this as fixed in 0.0.1 with commit bca5f8 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
2 years ago


Code has been fixed and the keys published have been withdrawn.

to join this conversation