Closed gxx777 closed 9 months ago
Hi @gxx777, Thank you for bringing this issue to our attention. We have removed the hardcoded encryption key and have rotated the encryption key. We are now storing the encryption key outside the codebase in a secure manner. We have fixed and released this on priority.
Description:
In the SuperAGI v0.0.13,which is a A dev-first open source autonomous AI agent framework.
It utilizes a constant default key to encryption sensitive data. This practice undermines the security of the encryption scheme by making it vulnerable to various attacks, as the key can be extracted from the source code and used to decrypt sensitive data.
key = b'e3mp0E0Jr3jnVb96A31_lKzGZlSTPIp4-rPaVseyn58='
Affected Version
v0.0.13
Location:
Reference
Expected Behavior:
Encryption keys should be dynamically generated, securely managed, and should remain confidential to ensure the security of encrypted data. Ideally, the keys would be stored in a secure environment or retrieved from a secure key management service.
Actual Behavior:
It use constant key function to encrypt the API key for configuration, as indicated in the referenced code snippets.
key = b'e3mp0E0Jr3jnVb96A31_lKzGZlSTPIp4-rPaVseyn58='
This allows anyone with access to the codebase to easily compromise the encryption and decrypt any data encrypted with this key.Recommendation
It's imperative to resolve this vulnerability to protect the data integrity and privacy of users of the SuperAGI framework. An immediate fix and release are recommended.