Unintentional disclosure of VT API-key?

SharadKumar97 / OSINT-SPY

Performs OSINT scan on email/domain/ip_address/organization using OSINT-SPY. It can be used by Data Miners, Infosec Researchers, Penetration Testers and cyber crime investigator in order to find deep information about their target. If you want to ask something please feel free to reach out to me at robotcoder@protonmail.com

https://docs.osint-spy.io

GNU General Public License v3.0

1.15k stars 182 forks source link

Unintentional disclosure of VT API-key? #5

Closed cstromblad closed 6 years ago

cstromblad commented 6 years ago

In the malware.py file, looking at the code for submitting malware samples to VT there appears to be a hardcoded API-key in there?

moyamanuel commented 6 years ago

@cstromblad, Yes, most likely it's hardcoded so the user doesn't have to generate their own API key. I'm quite sure it's intentional.

cstromblad commented 6 years ago

Well, that would very likely be a breach of VT terms of use. Each user is supposed to have their own unique key. It's likely unintentional, but if it's intentional it's a breach of their terms of use.

moyamanuel commented 6 years ago

Good point. Most APIs require each user to have their own API key. Nonetheless, this issue can be addressed by having the user enter their API key during the initial setup process, and then the API key can be stored in a noSQL database or a text file.

SharadKumar97 commented 6 years ago

Hi, guys. Sorry about this issue. I forgot to change that. Now I have solved this issue.Thanks