search

TransformerOptimus / SuperAGI

<⚡️> SuperAGI - A dev-first open source autonomous AI agent framework. Enabling developers to build, manage & run useful autonomous agents quickly and reliably.
https://superagi.com/
MIT License
15.26k stars 1.83k forks source link

Cryptographic API Misuse Vulnerability : Do not use constant key for encryption #1364

Closed gxx777 closed 9 months ago

gxx777 commented 10 months ago

Description:

In the SuperAGI v0.0.13,which is a A dev-first open source autonomous AI agent framework.

It utilizes a constant default key to encryption sensitive data. This practice undermines the security of the encryption scheme by making it vulnerable to various attacks, as the key can be extracted from the source code and used to decrypt sensitive data.

key = b'e3mp0E0Jr3jnVb96A31_lKzGZlSTPIp4-rPaVseyn58='

Affected Version

v0.0.13

Location:

Reference

Expected Behavior:

Encryption keys should be dynamically generated, securely managed, and should remain confidential to ensure the security of encrypted data. Ideally, the keys would be stored in a secure environment or retrieved from a secure key management service.

Actual Behavior:

It use constant key function to encrypt the API key for configuration, as indicated in the referenced code snippets. key = b'e3mp0E0Jr3jnVb96A31_lKzGZlSTPIp4-rPaVseyn58=' This allows anyone with access to the codebase to easily compromise the encryption and decrypt any data encrypted with this key.

Recommendation

It's imperative to resolve this vulnerability to protect the data integrity and privacy of users of the SuperAGI framework. An immediate fix and release are recommended.

JohnHunt999 commented 9 months ago

Hi @gxx777, Thank you for bringing this issue to our attention. We have removed the hardcoded encryption key and have rotated the encryption key. We are now storing the encryption key outside the codebase in a secure manner. We have fixed and released this on priority.