Skip to content

Data Leak Issue #1

New issue
New issue
Open
Open
Data Leak Issue#1
Labels
bugSomething isn't working
@lakshayman

Description

@lakshayman
lakshayman
opened on Jan 24, 2024

Issue Description

This is a critical issue notified by @Ajeyakrishna-k. This backend project has 3 endpoints - verification, profile, and health. The purpose of the profile API endpoint is to provide details of the owner like company, phone number, etc. To protect this API, we are receiving a bearer token, if the token is correct then it returns profile data. The issue is that one can generate that token from the verification endpoint easily by sending a salt.

Reproducibility

  • This issue is reproducible
  • This issue is not reproducible

Steps to Reproduce

  1. Try calling the verification endpoint with a salt, it will return a hash.
  2. Send that hash as a bearer token while calling the profile endpoint, you will get the profile data.

Severity/Priority

  • Critical
  • High
  • Medium
  • Low

Checklist

  • I have read and followed the project's code of conduct.
  • I have searched for similar issues before creating this one.
  • I have provided all the necessary information to understand and reproduce the issue.
  • I am willing to contribute to the resolution of this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions