Open Shaunak-Chatterjee opened 3 years ago
NullVoxPopuli
commented
3 years ago I appreciate the report <3 but it looks like the key is leaked from a dependency outside my control that has nothing to do with this project that I no longer maintain. I mean, I could update the dependency, but I'm sure the devise folks have rotated keys by now?
Shaunak-Chatterjee
commented
3 years ago It would be better to hide, the key. Because it's not possible to verify except the owner whether they're rotated or not. Unless some black-hat directly utilizes the creds. And for obvious reasons trying such things would be unethical and illegal from my side.
NullVoxPopuli
commented
3 years ago yeah, but the code is managed here: https://gitlab.com/precognition-llc/aeonvera and github is a mirror. unfortunately, I don't have time to deal with every security issue that crops up from old code 😢
AMAZON_S3_BUCKET
Link - https://github.com/NullVoxPopuli/aeonvera/blob/755df8917ee4715c550460fa09cd1d5383588ac6/vendor/bundle/ruby/2.4.0/gems/devise-3.4.1/.travis.yml
Impact - Anyone can steal these and can use them, leading to eating up your usage, causing you to incur losses.
Recommendation - In case you are interested in a permanent fix to this vulnerability, the best way is to revoke the disclosed API keys and generate new keys. If this is done, then even if the API keys are disclosed, an attacker wouldn't be able to use those keys to fetch the valid responses from the API provider service.
It would be great if the bug qualify for any bounty/reward, it requires a lot of hard work to keep going to do such good work.