Medium Hardcoded client ID and client secret found in the application binary.
Impact:
Leads to full API/authorization compromise.
Â
| Vulnerability Name | Vulnerable URL | CVE/CWE | CVSS Score | Overall Risk (Severity) |
Observation / Description | Impact | Recommendation | Reference | Steps to reproduce |
| https://dev.abdm.gov.in/api/hiecm/gateway/v3/sessions | Client ID and Client Secret Disclosure | CWE-200 | 3.4 | Low | it was identified that the application exposes sensitive OAuth credentials, specifically the Client ID and Client Secret, within client-side components. These values were visible in the network requests and/or embedded within the application’s source code when inspected using developer tools or proxy tools like Burp Suite. | Unauthorized API Access: Attackers can use the exposed Client ID and Client Secret to generate valid tokens or perform authenticated API calls. Account Takeover (Indirect Risk): If combined with other vulnerabilities, attackers may impersonate legitimate users. Abuse of Backend Services: Malicious actors can consume APIs, cause financial loss, or exhaust rate limits. Data Theft: Sensitive user or system data may be accessed using the leaked credentials. Full OAuth Compromise: The confidentiality and integrity of the entire authentication/authorization flow can be compromised. |
Move Client Secret to Server-Side: The Client Secret must be stored only on the server and never exposed to client-side code. Use Backend Authentication Flow: Implement proper OAuth flow (e.g., Authorization Code Flow with PKCE) to prevent secrets from being exposed. Regenerate Exposed Credentials: Immediately revoke and regenerate the compromised Client ID and Client Secret. Secure Communication: Ensure all sensitive authentication operations occur over HTTPS with strict validation. Code Review and Hardening: Remove all secrets from client-side assets and configuration files. Implement API Gateway or Token Proxy: Route sensitive authentication requests through a backend service to avoid exposing secrets. |
https://cwe.mitre.org/data/definitions/200.html | Step 1: During the security assessment, we used the application and monitored the network requests through Burp Suite. Step 2: While analyzing the API requests and responses, we observed that sensitive authentication parameters were being transmitted in plain text. Step 3: Specifically, the Client ID and Client Secret were exposed within the API request/response payloads |
