AirDAO Disclosed Report

https://github.com/ambrosus/ambrosus-bridge

A sensitive Telegram bot token (5244673889:AAGa9f6UYZEtpJWWIKy7iPbI-qiQJbT8zZw) is hardcoded in the externalLogger.telegram section of the configuration file. Additionally, placeholder references for private keys ("in env") suggest incomplete implementation of secure credential management. This misconfiguration exposes critical components to potential exploitation if the configuration file is accessed.

Here is the link: https://github.com/ambrosus/ambrosus-bridge/blob/dev/relay/configs/dev-bsc.json

Vulnerable File/Component File Name: Configuration JSON file for network and application setup. Section: externalLogger.telegram.token

Steps to Reproduce Obtain a copy of the configuration JSON file. Locate the externalLogger.telegram.token field. Observe that the Telegram bot token is hardcoded as: "token": "5244673889:AAGa9f6UYZEtpJWWIKy7iPbI-qiQJbT8zZw"

Use the token to: Send messages to the specified chat (chatId: "-1001732781392"). Perform unauthorized actions using the Telegram bot.

Security Risks Hardcoded Token Exploitation:

Unauthorized bot control and misuse. Exposure of internal communications or sensitive logs. Credential Mismanagement:

Increased risk of private key exposure. Potential compromise of blockchain network operations.

Proof of Concept (PoC) Copy the hardcoded token: 5244673889:AAGa9f6UYZEtpJWWIKy7iPbI-qiQJbT8zZw Use the token in a Telegram bot API request, such as: curl -X POST https://api.telegram.org/bot5244673889:AAGa9f6UYZEtpJWWIKy7iPbI-qiQJbT8zZw/sendMessage
-d chat_id=-1001732781392
-d text="This is a test message from an unauthorized user." Observe that the message is successfully sent to the specified chat.

Impact Unauthorized users can: Send arbitrary messages to the Telegram channel. Disrupt legitimate communications or spread false information.