Description

Several repos across DexFi's GitHub organization were found to hard code secrets within source code. Secrets range from API keys with minimal impact, to Slack webhooks, to GitHub access tokens with complete organization permissions. Active secrets are located in current code as well as within commit history. In addition to the issue of being hardcoded within source code, care should be taken to ensure that any authentication tokens with configurable scope are only given the minimal permissions required for their function.

The .npmrc file in the vaults-v3-backend repo history contains active GitHub tokens, one of which has excessive permissions within it's commit history.

API keys and Slack webhooks are also found within the same repo, in the config/*.json files.

Impact

Any disclosure of source code to an attacker could result in losses wherever visible secrets are used. Excessively scoped tokens could result in far greater loss than if tokens were otherwise minimally scoped. For example, an attacker that manages read-only access to the affected repository code through any method could then locate an overly scoped GitHub token and then make use of their elevated privileges for further attacks. Similar situations could apply for other hardcoded secrets. For example, allowing an attacker Slack webhook access or access to other third-party APIs that are in use.

Recommendations

All sensitive secrets should be stored securely rather than hardcoded within the source, even if the code is not intended to be public. Created tokens should only include the minimally required permissions for function.

Any currently disclosed secrets should be rotated so that they can not be abused if an attacker finds them in the future. Measures should be implemented to ensure that any secrets are not stored in source code in the future, which can be accomplished by implementing GitHub's automated code scanning or by implementing tooling within automated pipelines. All repos across the organization should be examined to determine where secrets are improperly stored and have any occurrences removed.

Remediation

DexFi has acknowledged this issue and stated the following:

All repos across the organization have been examined to determine where secrets were improperly stored to have those occurrences removed. The development team has been notified to migrate the semi-secret token inside the [vaults-v3-backend] repo into Github secrets. Furthermore, we are coordinating with our colleagues to rewrite the repository history to remove all sensitive data. Of which all the remaining tasks will be completed before any private repos are marked public.