API token can be read from a log file by any user #9
Labels
famed
Famed - Tracked by Famed
lighthouse
medium
Famed - Common Vulnerability Scoring System (CVSS) - Medium
Comments
fredriksvantes
added
famed
|
🤖 Assignees for Issue API token can be read from a log file by any user #9 are now eligible to Get Famed. ❌ Add assignees to track contribution times of the issue 🦸♀️🦹️ Happy hacking! 🦾💙❤️️ |
Famed could not generate a reward suggestion.Reason: The data provided by GitHub is not sufficient to generate a reward suggestion. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
UID: CL-2021-38
Severity: medium
Type: BUG
Affected Clients: Lighthouse
Summary: A validator client uses two API keys: ".secp-sk" (secret key) and "api-token.txt" (the corresponding public key).
The spec suggests that an API token can be obtained (read) from a file or from logs.
The second method is highly insecure by design and considered as a very bad practice in web application security (e.g., OWASP Logging).
Moreover, an API token can be read from the log file by any user on the host because the file permissions for the logs are 644.
Links: sigp/lighthouse#2438
Reported: 2021-07-07
Fixed: 2021-09-13
Published: 2021-12-01
Bounty Hunter: Taurus
Bounty Points: Part of EF initiated Security Audit: https://arxiv.org/abs/2109.11684
The text was updated successfully, but these errors were encountered: