Backpack Disclosed Report

https://*.backpack.exchange/

I found a valid api key through your github account.Here is the source code link.

The logging utility in the provided code contains a hardcoded API key used for communicating with the Logflare API. This poses a significant security risk as attackers can use the exposed key to send unauthorized logs, impersonate the application, or exhaust API quotas.

const sourceId = "13f2dddf-4ad3-446f-8ebe-f16b4415483c";
const apiKey = "g2jE0-ajd9Kf"; // Hardcoded API key
const url = `https://api.logflare.app/api/logs?source=${sourceId}`;

The API key g2jE0-ajd9Kf is hardcoded within the logflareDebug function. As the code appears to be part of a service worker, this key could easily be accessed through github.

Locate the hardcoded API key in the codebase. Retrieve the key and test its functionality using a simple curl command:

curl -X POST "https://api.logflare.app/api/logs?source=13f2dddf-4ad3-446f-8ebe-f16b4415483c" \
-H "Content-Type: application/json" \
-H "X-API-KEY: g2jE0-ajd9Kf" \
-d '{"event_message": "Test Log"}'

Observe the unauthorized log being successfully sent to Logflare.

Impact: Unauthorized Access: An attacker could use the exposed API key to send arbitrary logs to the Logflare service, potentially impersonating the application. Data Integrity Issues: Malicious logs could clutter or poison the data collected, making debugging and monitoring difficult. Data Manipulation: Modifying log entries to mislead or hide important information. Resource Exhaustion: API quotas could be exhausted, leading to denial of service for legitimate usage. Reputation Damage: If malicious actors abuse the key, it could lead to false logs or activity associated with the application, harming its reputation.

Here is the poc video link: https://drive.google.com/file/d/1ssYIiKNPfLxrTtRUr7dY_Di2BDSEhO3P/view?usp=sharing