📄

Report #24020

Report Date
September 11, 2023
Status
Closed
Payout

api keys leaked through source code

Report Info

Report ID

#24020

Report type

Websites and Applications

Has PoC?

Yes

Target

Impacts

Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as voting in governance

Bug Description

API keys can be used to make requests to an API with authentication. Such API key leaks can cause users to access data or perform actions they should not have access to

Impact

Black hat attackers can exploit such apikeys to access affected services which may reveal confidential details, steal funds, etc

Recommendation

do not explicitly include any confidential information through website source code that can be accessed by anyone

Proof of concept

press: Ctrl + f

search query:apikey

BIC Response

This is not a valid bug report because none of the API keys used by the Beanstalk UI are sensitive and they are all known to be viewable by looking at the source code. The report also falsely claims the Impact as "Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as voting in governance", none of which can be done with access to the API keys.

Due to these reasons, we are closing the submission and no reward will be issued.