File permissions for validator client API keys are insecure #8
Labels
famed
Famed - Tracked by Famed
lighthouse
medium
Famed - Common Vulnerability Scoring System (CVSS) - Medium
Comments
fredriksvantes
added
famed
|
🤖 Assignees for Issue File permissions for validator client API keys are insecure #8 are now eligible to Get Famed. ❌ Add assignees to track contribution times of the issue 🦸♀️🦹️ Happy hacking! 🦾💙❤️️ |
Famed could not generate a reward suggestion.Reason: The data provided by GitHub is not sufficient to generate a reward suggestion. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
UID: CL-2021-39
Severity: medium
Type: BUG
Affected Clients: Lighthouse
Summary: A validator client uses two API keys: ".secp-sk" (secret key) and "api-token.txt" (the corresponding public key).
Both files are stored in a user directory with 644 permission bits.
So any user on the host can read them.
Links: sigp/lighthouse#2437
Reported: 2021-07-07
Fixed: 2021-09-13
Published: 2021-12-01
Bounty Hunter: Taurus
Bounty Points: Part of EF initiated Security Audit: https://arxiv.org/abs/2109.11685
The text was updated successfully, but these errors were encountered: