search

unionlabs / union

The trust-minimized, zero-knowledge bridging protocol, designed for censorship resistance, extremely high security, and usage in decentralized finance.
https://union.build
Apache License 2.0
64 stars 12 forks source link

Alchemy API Key Exposed #2379

Open Caglankaan opened 3 months ago

Caglankaan commented 3 months ago

Alchemy API Key Exposed

Request

POST /v1/graphql HTTP/2
Host: graphql.union.build
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: application/graphql-response+json, application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://app.union.build/
Content-Type: application/json
Content-Length: 856
Origin: https://app.union.build
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers

{"query":"query ChainsQuery @cached(ttl: 30) {\n  v0_chains(where: {enabled: {_eq: true}}, order_by: {display_name: asc}) {\n    display_name\n    testnet\n    chain_id\n    enabled\n    id\n    rpc_type\n    addr_prefix\n    rpcs(where: {enabled: {_eq: true}}) {\n      url\n      type\n    }\n    ucs1_configurations {\n      channel_id\n      contract_address\n      destination_chain {\n        chain_id\n      }\n      forward {\n        channel_id\n        destination_chain {\n          chain_id\n        }\n        port\n      }\n    }\n    explorers {\n      tx_url\n      block_url\n      address_url\n    }\n    assets {\n      denom\n      display_symbol\n      display_name\n      decimals\n      faucets(where: {enabled: {_eq: true}}) {\n        url\n        display_name\n      }\n    }\n  }\n}","variables":{},"operationName":"ChainsQuery"}

Response

HTTP/2 200 OK
Date: Tue, 02 Jul 2024 08:24:34 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 8821
Access-Control-Allow-Origin: https://app.union.build
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,PUT,PATCH,DELETE,OPTIONS
Access-Control-Expose-Headers: X-Hasura-Query-Cache-Key,X-Hasura-Query-Family-Cache-Key,Warning
X-Hasura-Query-Family-Cache-Key: 30084d897ed1163cc7896ec0d445cb2c072330d0
X-Hasura-Query-Cache-Key: 1027a2ae2b3a2ed30160f58bd971bb7a783186e1
X-Request-Id: 5e59272fd8b8a1f1f392fe4b9853c3ec
Cache-Control: max-age=24
Cf-Cache-Status: DYNAMIC
Content-Security-Policy: upgrade-insecure-requests
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rJ%2FGONRnKXa6LeuwS1btNIJt%2BTT%2FQG%2BMsaRXrkn%2FbZrqPaygNGg0yPGjdRGzEsEG6GF1yMm7sIV6AV%2FypOVZc5saIrGAaUQqh1ttnpz2Vp3kzeg9wM92bNOq1vK0GU%2BKROyDXWU%3D"}],"group":"cf-nel","max_age":604800}
Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
Cf-Ray: 89cd3d7f9802b63b-IST

{"data":{"v0_chains":[{"display_name":"Sepolia","testnet":true,"chain_id":"11155111","enabled":true,"id":1,"rpc_type":"evm","addr_prefix":"0x","rpcs":[{"url":"eth-sepolia.g.alchemy.com/v2/SQAcneXzJzITjplR7cwQhFUqF-SU-ds4","type":"alchemy"
...
...
...

In this response, the Alchemy API key is exposed and can be used by anyone. None of the HTTP response values should expose any kind of API keys.

POC

>>> from web3 import Web3
>>> infura_url = "https://eth-sepolia.g.alchemy.com/v2/SQAcneXzJzITjplR7cwQhFUqF-SU-ds4"
>>> web3 = Web3(Web3.HTTPProvider(infura_url))
>>> web3.eth.get_balance("0x5CF094a64E99A85AA7866DB5B2A51827C7D224aF")
1515001042037750000
o-az commented 2 months ago

this issue is also present in our other keys like the alchemy key used for sentinel fyi