Remote attackers may also use the hardcoded API Token to carry out HTTP requests to the servers and obtain sensitive information, such as the list of users, as well as other account information.
An attacker in a remote location may be able to use the hardcoded API Token to establish connections with the server and carry out login attempts to general user accounts. In the case of a successful login to a general user account, the attacker can access, modify or delete this user account information.
In the following example of hardcoding the API Token, the value for the API Token is hardcoded into the APP source code. https://[server]/storage/get_user_info.php?token=87e3c98d3e6724f8b87d2b9d9c9e7d An attacker may be able to use the hardcoded API Token to establish connections with the server and carry out login attempts to general user accounts. In the case of a successful login to a general user account, the attacker can access, modify or delete this user account information.
Authentication
/Authorization Issues
The hardcoded API Token may also be used to carry out HTTP requests to the server and obtain sensitive information, such as the list of users, as well as other account information.
An attacker in a remote location may be able to use the hardcoded API Token to establish connections with the server and carry out login attempts to general user accounts. In the case of a successful login to a general user account, the attacker can access, modify or delete this user account information.
Information Disclosure
An attacker, when they have the hardcoded API Token, can use it to carry out HTTP requests to the servers and obtain sensitive information, such as the list of users, as well as other account information.
In this example of hardcoding the API Token, the value for the API Token is hardcoded into the APP source code. https://[server]/storage/get_user_info.php?token=87e3c98d3e6724f8b87d2b9d9c9e7d An attacker may be able to use the hardcoded API Token to carry out HTTP requests to the servers and obtain sensitive information, such as the list of users, as well as other account information.
Timeline
Published on: 04/22/2022 07:15:00 UTC
Last modified on: 05/04/2022 12:49:00 UTC