Password in Source Code

[gszathmari]

The password for the coffee machine is stored in the source code, which is 1234: https://github.com/NARKOZ/hacker-scripts/blob/master/fucking_coffee.rb#L12

This could allow anyone with access to the source code to access the coffee machine on the network.

Please remove the password from the source code into an environmental variable, and rotate the credentials on the coffee machine immediately.

[chitianfarmer]

OK,but I don't know how to make it;can you tell me ?

[gszathmari]

What I recommend is a full fledged code review scanning for security issues. Please feel free to contact me in private for a short discussion, so I can understand your requirements better. After that, I will provide you a quote for my services along with the draft of the contract.

[junbugg]

THIS ASSHOLE CHARGED MY FUCKIN CARD WITHOUT MY AUTHORIZATION, I'M OPTING OUT. CAN'T TRUST THIS PEOPLE.

[pbssubhash]

Hey, Just replace the password with an environment placeholder for the production workspace and mention in the README to update the placeholder with the password. In this way hardcoding the passwords can be avoided. Alternatively, encrypting the text is another option. However, this can be dangerous if a weak encryption is being used. Environmental variable is something like this :-
TWILIO_ACCOUNT_SID = ENV['TWILIO_ACCOUNT_SID']

In the above example, TWILIO accound SID was being protected.

In the same way, the code in this case can be modified as password = ENV['Password_of_the_machine'] coffee_machine_ip =ENV['Coffee_Machine_IP'] password_prompt = ENV['PASSWORD'] Reach out to me if you'd like to know more about this issue :) I'd be happy to help.

Best.

[gszathmari]

How about if we switch to a microservices architecture and store the password in a config service instead?

On 26 Nov 2015, at 12:00, P B Surya Subhash notifications@github.com wrote:

Hey, Just replace the password with an environment placeholder for the production workspace and mention in the README to update the placeholder with the password. In this way hardcoding the passwords can be avoided. Alternatively, encrypting the text is another option. However, this can be dangerous if a weak encryption is being used.

Reach out to me if you'd like to know more about this issue :) I'd be happy to help.

Best.

— Reply to this email directly or view it on GitHub https://github.com/NARKOZ/hacker-scripts/issues/42#issuecomment-159895256.

[pbssubhash]

Yeah, authenticating using a dynamically assigned gateway is a decent option.

[pbssubhash]

Also, the Internal IP Address must be removed. Again, even in the Python module,these must be changed. https://github.com/NARKOZ/hacker-scripts/blob/master/python3/fucking_coffee.py#L10 https://github.com/NARKOZ/hacker-scripts/blob/master/python3/fucking_coffee.py#L11

[rusenask]

I think moving authentication to Vault (https://github.com/hashicorp/vault) would be better approach

[gszathmari]

Hold on your horses, @rusenask, we have plenty of suggestions here. I think we should form a committee and let it decide what the best option is.

[bitsapien]

Could we ssh into the coffee machine, instead ?

[gszathmari]

Good point as telnet is connecting in clear text

Regards, Gabor

On 28 Nov 2015, at 20:07, C Rahul notifications@github.com wrote:

Could we ssh into the coffee machine, instead ?

— Reply to this email directly or view it on GitHub.

[rusenask]

Let's also consider another, much more sophisticated approach - what if we could create a separate web service that would just be handling coffee machine (like a micro service that would be used by management script)? This way we could also have separate modules for different coffee machine models. It could also have better security, web UI (if needed), statistics, OAuth. What do you think, guys?

[danielr1996]

Security for coffeemachines is indeed very important, otherwise you might get a CoffeeOverflowError on the floor if someone is hacking the coffemachine

[yueyangming]

How about store these password and internet address to a ini file? What's inside is like : Internet address : xxx.xxx.xxx.xxx username : xxxxx password: xxxxx

[pbssubhash]

In fact that would be the same, adding to some config file won't make any difference for the attacker. He'll steal it either way. And if the ini file is added to .gitignore, its fine. But then again it's not the best practice. Sent from my iPhone

_____________________________

From: Yangming Yue notifications@github.com Sent: Monday, November 30, 2015 7:45 AM Subject: Re: [hacker-scripts] Password in Source Code (#42) To: NARKOZ/hacker-scripts hacker-scripts@noreply.github.com Cc: P B Surya Subhash pbssubhash@gmail.com

How about store these password and internet address to a ini file? What's inside is like : Internet address : xxx.xxx.xxx.xxx username : xxxxx password: xxxxx

— Reply to this email directly or view it on GitHub.

[elrikdante]

I think we can go even bigger guys.

Think "Billion People" sized solutions.

It's unfortunate the original implementation deviates a little from the twelve factor app.

I'm also having to hold off on deploying my copy pasta implementation of this system to production because dev/ops won't sanction it.

It's surprising a system written by such a lauded hacker doesn't come preconfigured to work in ether my NixOS build system, nor is there much compatibility with Otto.

Signed, CoffeeTurb Inc LLC org Entitled Non Paying Enterprise User

[juliusdedekind]

It's powershell: use ConvertTo-SecureString? :P

[ghost]

Coffe machines must be telnet like which is a very plain text protocol and it's compatible with all interfaces. The real need is to incorporate on any corporation machine the coffee-service. Just a way to custom and serve your coffee, with a hardware anti-coffee-overflows, ready near the desk. This guy is really genious. LOL

[regalstreak]

The password is 1234, Damn. Not even a min needed for bruteing it or using a dictionary or something :3 :-1:

[jalut]

"What are you doing?" "Shbang! I hacked the coffee machine."

[mainrs]

Totally stupid idea imo. There is no need to change anything. You can only access the machine on the same network and the default password can be easily googled. No need for your "comittee".

[ghost]

I'm pretty sure there isn't any immediate need to change the password here as these aren't the original scripts AFIK (Implying that it's probably not the same password. Even if I'm wrong, it's a default password for a coffeemaker in Russia that you would need to LAN access for anyways; it's not an issue worthy of the project curators time. If it bothers you that much, instead of spending 5 minutes to make an issue on github (And advertise your code auditing services on a repository which was intended as a joke), you could very easily have used that 5 minutes to change one line of code and make a pull request.

[mo9a7i]

Over 1 year open with no fix? I think you can publish a CVE safely and flood russian corporations with coffee.

[mainrs]

The troll is getting real here

[Dharkancb]

my wife imo hack by mobile number

[cyb3rpr0]

This could be CVE worthy for sure. Was this ticket ever resolved? I could use the extra PR for hacktoberfest 💪 😏

[mainrs]

I'm sure that there are other projects that are way more important that you can contribute to as some small scripts that nobody uses anyways. A lot of great libraries within the Javascript ecosystem are out there that always love PRs :) @micknoy