'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
CoinTR Pro Disclosed Report
Bug bounty report CoinTR Pro Mobile & APIGoCd Encryption Key exposed on cointr.com
Company
Created date
Apr 30 2024
Target
www.cointr.com
Vulnerability Details
The GoCD encryption key is a sensitive piece of information used to encrypt and decrypt secret variables within your GoCD configuration. Knowing this key allows someone to decrypt any confidential information stored in GoCD, like passwords or API keys.
Here's some key information about the GoCD encryption key:
- Storage: GoCD stores the encryption key in a file named
cipher.aes. This file's location depends on your setup, but it's commonly found in/godata/config/cipher.aesfor Docker deployments. - Security Concerns: - Exposure: In GoCD versions before 21.1.0, the encryption key was accidentally leaked to authenticated agents, potentially allowing them to decrypt secrets https://hackenproof.com/redirect?url=https://hackenproof.com/redirect?url=https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88. Make sure you are running a version 21.1.0 or later to avoid this vulnerability.
- Storage: The
cipher.aesfile itself needs to be well protected. Avoid committing it to version control systems.
- Storage: The
Here are some resources for further reading:
- GoCD Secret Management: https://hackenproof.com/redirect?url=https://docs.gocd.org/current/configuration/secrets_management.html
- GoCD Security Advisories: https://hackenproof.com/redirect?url=https://hackenproof.com/redirect?url=https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88 (Look for advisories mentioning "encryption key")
Validation steps
POC
go to : https://ops-header-ws.cointr.com/go/add-on/business-continuity/api/cipher.aes
Attachments
Screenshot_2024-04-30_at_7.00.13_PM.pngCommentsReport History
Comments on this report are hidden 
Details Statedisclosed
Severity Medium
Bounty
hidden
hiddenVisibilitypartially
VulnerabilityInsecure Data Transport
Participants (2) 
author
company admin