Beanstalk Notion
Beanstalk Notion
/
🪲
Bug Reports
/
BIC Notes
/
📄
Report #32351
📄

Report #32351

Report Date
June 18, 2024
Status
Closed
Payout

Hardcoded credentials were found within the frontend code

‣
Report Info

Report ID

#32351

Report type

Websites and Applications

Has PoC?

Yes

Target

https://app.bean.money

Impacts

Hardcoded credentials were found within the frontend code, specifically for accessing the RPC services. This exposes sensitive information and can lead to unauthorized access and potential misuse.

Description

Hardcoded credentials were found within the frontend code, specifically for accessing the RPC services. This exposes sensitive information and can lead to unauthorized access and potential misuse.

Vulnerability Details

The following credentials were found hardcoded in the frontend code (JavaScript): rpc: [ 'https://rpc.ankr.com/eth', { url: 'https://api-geth-archive.ankr.com', user: 'balancer_user', password: 'balancerAnkr20201015' } ]

Impact Details

Exposing usernames and passwords in the frontend code can lead to unauthorized access to backend services, data leaks, and potential system compromise.

References

Add any relevant links to documentation or code

Proof of concept

rpc: [ 'https://rpc.ankr.com/eth', { url: 'https://api-geth-archive.ankr.com', user: 'balancer_user', password: 'balancerAnkr20201015' } ]

Immunefi Response

Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
  • claimed impact by the whitehat is not in scope for the bug bounty program
  • claimed asset by the whitehat is in scope for the bug bounty program
  • PoC has been submitted to the project
  • claimed severity is in scope for the bug bounty program

The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.