2024 Audit - SEC-01-004 WP4: Multiple Leaks via API Error Messages In Development Mode

[zenmonkeykstop]

Note: It was later found that this issue affects only deployments in developer mode, which is against the SecureDrop deployment guidelines. Error messages from the SecureDrop Source and Journalist APIs expose internal API information. A malicious attacker, in situations where the server is deployed in developer mode due to human error, could leverage this weakness to gain information about application internals, facilitating the exploitation of more significant vulnerabilities

Our developer environment intentionally reveals more information for debugging purposes. An administrator would have to go out of their way to put a production SecureDrop server into this state. We don’t plan to change this behavior.

[zenmonkeykstop]

Closing - looged for historical purposes only.