api keys leaked through source code
Report ID
#24020
Report type
Websites and Applications
Has PoC?
Yes
Target
Impacts
Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as voting in governance
Bug Description
API keys can be used to make requests to an API with authentication. Such API key leaks can cause users to access data or perform actions they should not have access to
Impact
Black hat attackers can exploit such apikeys to access affected services which may reveal confidential details, steal funds, etc
Recommendation
do not explicitly include any confidential information through website source code that can be accessed by anyone
Proof of concept
press: Ctrl + f
search query:apikey
BIC Response
This is not a valid bug report because none of the API keys used by the Beanstalk UI are sensitive and they are all known to be viewable by looking at the source code. The report also falsely claims the Impact as "Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as voting in governance", none of which can be done with access to the API keys.
Due to these reasons, we are closing the submission and no reward will be issued.