(This image was created with the assistance of DALL·E 2)
The Silent Saboteur: Plain Text Credentials on Webpages
Welcome back to our blog series: Vulnerability of the Month! With this series we would like to give you insights into our and our hackers’ daily work and talk about vulnerabilities. By doing so, we hope to help spread important security knowledge about specific vulnerabilities, how to find them, techniques used and by doing that raise awareness to all the vulnerabilities that may still be out there.
If you want to learn more about the series and why we do it this way, please have a look at the first blog post available here: https://www.bugbounty.ch/votm-jan-23/
Author: this month’s blog post was authored by Cindy Yang
Credits: this month’s vulnerability was reported by pprab
Context of the Bug Bounty program
- A time-limited, budget-limited private program
- In scope is a big part of the exposed websites of the customer with dozens of domains
- Time between launch of the program and submission of the report: ~4 months
Why this vulnerability
In today’s world of endless possibilities, where technology has reached new heights, it’s no surprise that cybersecurity is of utmost importance. With all the fancy security measures like web application firewalls and encryption, one would think that people would be more cautious about their digital assets. But no, some people like to live dangerously, as evidenced by their decision to store admin credentials directly on JavaScript source code.
It’s like going to the dentist to get your teeth cleaned but forgetting to brush them regularly at home. What could possibly go wrong? Let’s check it out!
The system affected
One of the web-based assets of the customer.
The vulnerability as described by the hacker
The path to the vulnerability
While examining the source code of the webpage, the hacker detected some commented code containing the username and the password of the admin, and they still worked – sometimes it is that simple…
Impact analysis
Full admin access to the admin part of the system, since the hacker has access to the username and password of the admin user.
Our perspective
This report is from the category of «no way – this will never happen to us». But our experience shows mistakes happen, and nobody is immune to them.
What went wrong?
The relevant JS snippet has been commented out, so the local, JS-based login functionality wasn’t in use anymore and was probably used during development. The problem was that the credentials haven’t been rotated/changed when switching to the proper authentication mechanism. In addition, try to reduce the attack surface by removing unused code before using it in production and exposing it to the internet.
Interested in finding vulnerabilities? We’re always looking for new hacking talents – please register yourself here: bugbounty.ch/hacker!
