# humand-main-api — Real secrets committed in `.env.example` STATUS: DRAFT program: humand | platform: huntr | repo: HumandDev/humand-main-api | commit: bb975d08cc ```` Repository URL: https://github.com/HumandDev/humand-main-api Package Manager: npm CVSS: Attack Vector: Network Title: humand-main-api — Real secrets committed in `.env.example` Description: ## huntr Form Fields ``` Package Manager: npm Version Affected: latest (commit bb975d08cc) Vulnerability Type: Inclusion of Sensitive Information in Source Code CVSS: Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: Low Title: Sensitive private keys and service credentials exposed in .env.example ``` ### Description # Description The repository's `.env.example` contains actual high-value credentials and private key material rather than placeholders. These values are readable by anyone with repository access and become long-lived leakage through git history. Exposed values include: - Twilio account SID and auth token - Firebase RSA private key block - SAML IdP private key and signing certificate - Cursor pagination encryption key - API key salt This is a direct secret disclosure issue and enables credential abuse without needing runtime access. # Proof of Concept 1. Clone or browse the repository. 2. Open `.env.example`. 3. Copy sensitive values (e.g., Twilio token/private key blocks). 4. Use extracted credentials against corresponding services. Examples: ```bash # Extract Twilio credentials from repository file rg -n "TWILIO_(ACCOUNT_SID|AUTH_TOKEN)" .env.example # Extract key headers proving private key disclosure rg -n "BEGIN (RSA )?PRIVATE KEY|BEGIN CERTIFICATE" .env.example ``` Expected vulnerable behavior: live-looking credentials and key material are present in plaintext in version-controlled source. ### Impact An attacker with repo access can forge tokens/signatures (depending on key usage), abuse SMS/call APIs, and bypass controls relying on leaked secret material. Even if values are "dev", compromise risk remains whenever environments or integrations are shared/reused. ### Occurrences ``` Permalink: https://github.com/HumandDev/humand-main-api/blob/bb975d08cc/.env.example#L52-L54 Description: Twilio SID/auth token values committed in plaintext Permalink: https://github.com/HumandDev/humand-main-api/blob/bb975d08cc/.env.example#L60 Description: Cursor pagination encryption key present Permalink: https://github.com/HumandDev/humand-main-api/blob/bb975d08cc/.env.example#L64 Description: Firebase RSA private key block committed Permalink: https://github.com/HumandDev/humand-main-api/blob/bb975d08cc/.env.example#L154-L155 Description: IdP private key and signing certificate committed ``` ### References ``` URL: https://cwe.mitre.org/data/definitions/798.html Name: CWE-798: Use of Hard-coded Credentials URL: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html Name: OWASP Secrets Management Cheat Sheet URL: https://12factor.net/config Name: The Twelve-Factor App - Store config in the environment ``` ````