api key leaked .js source code app.bean.money
Report ID
#23984
Report type
Websites and Applications
Has PoC?
Yes
Target
Impacts
information disclosure (Out of scope)
Bug Description
what is the function of the fire key?:
Most likely the API key is stored in an environment variable or file. The code you provided uses the apiKey parameter to connect to the blockchain. These parameters are likely passed in from an external source, such as a CI/CD pipeline or web application.
Impact
unauthorized access to the affected platform
Recommendation
revoke the apikey immediately and do not clearly explain the apikey in the source code
Proof of concept
press:CTRL + F
search query:apiKey:"iByabvqm_66b_Bkl9M-wJJGdCTuy19R3"
Immunefi Response
Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
- claimed impact by the whitehat
is not in scopefor the bug bounty program- claimed asset by the whitehat is in scope for the bug bounty program
- PoC has been submitted to the project
- claimed severity is in scope for the bug bounty program
Since this bug bounty program does not require Immunefi's triaging, note that Immunefi does not:
- check if whitehat's claims are factually correct
- check PoC to understand the validity
- assess the submission's severity
These activities are the project's responsibility.
The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.