Vulnerability of the Month: March ‘23

Welcome back to our blog series. This month with: The Silent Saboteur: Plain Text Credentials on Webpages.

Von Florian Badertscher, Veröffentlicht am 3. April 2023 5 min Lesezeit

(This image was created with the assistance of DALL·E 2) 

The Silent Saboteur: Plain Text Credentials on Webpages 

Welcome back to our blog series: Vulnerability of the Month! With this series we would like to give you insights into our and our hackers’ daily work and talk about vulnerabilities. By doing so, we hope to help spread important security knowledge about specific vulnerabilities, how to find them, techniques used and by doing that raise awareness to all the vulnerabilities that may still be out there. 

If you want to learn more about the series and why we do it this way, please have a look at the first blog post available here:  

Author: this month’s blog post was authored by Cindy Yang 

Credits: this month’s vulnerability was reported by pprab 

Context of the Bug Bounty program 

  • A time-limited, budget-limited private program 
  • In scope is a big part of the exposed websites of the customer with dozens of domains 
  • Time between launch of the program and submission of the report: ~4 months 

Why this vulnerability 

In today’s world of endless possibilities, where technology has reached new heights, it’s no surprise that cybersecurity is of utmost importance. With all the fancy security measures like web application firewalls and encryption, one would think that people would be more cautious about their digital assets. But no, some people like to live dangerously, as evidenced by their decision to store admin credentials directly on JavaScript source code. 

It’s like going to the dentist to get your teeth cleaned but forgetting to brush them regularly at home. What could possibly go wrong? Let’s check it out! 

The system affected 

One of the web-based assets of the customer. 

The vulnerability as described by the hacker 

The path to the vulnerability 

While examining the source code of the webpage, the hacker detected some commented code containing the username and the password of the admin, and they still worked – sometimes it is that simple… 

Impact analysis 

Full admin access to the admin part of the system, since the hacker has access to the username and password of the admin user. 

Our perspective 

This report is from the category of «no way – this will never happen to us». But our experience shows mistakes happen, and nobody is immune to them.  

What went wrong? 

The relevant JS snippet has been commented out, so the local, JS-based login functionality wasn’t in use anymore and was probably used during development. The problem was that the credentials haven’t been rotated/changed when switching to the proper authentication mechanism. In addition, try to reduce the attack surface by removing unused code before using it in production and exposing it to the internet.


Interested in finding vulnerabilities? We’re always looking for new hacking talents – please register yourself here:!

Bleib auf dem Laufenden mit unserem Newsletter!

Du suchst Bug Bounty News, Hackerportraits und Erfolgsgeschichten aus dem Unternehmensalltag? Bleib auf dem Laufenden mit unserem Newsletter.

Hast Du Fragen?

Nimm mit uns Kontakt auf - wir freuen uns auf Dich!

Termin vereinbaren