# humand-main-api — Critical authentication bypass via global master password
STATUS: DRAFT
program: humand | platform: huntr | repo: HumandDev/humand-main-api | commit: bb975d08cc

````
Repository URL: https://github.com/HumandDev/humand-main-api
Package Manager: npm
CVSS: Attack Vector: Network
Title: humand-main-api — Critical authentication bypass via global master password
Description:

## huntr Form Fields

```
Package Manager: npm
Version Affected: latest (commit bb975d08cc)
Vulnerability Type: Improper Authentication
CVSS:
  Attack Vector: Network
  Attack Complexity: Low
  Privileges Required: None
  User Interaction: None
  Scope: Changed
  Confidentiality: High
  Integrity: High
  Availability: High
Title: Global MASTER_PASSWORD allows login as any user across tenants
```

### Description

# Description

The authentication flow includes a global `MASTER_PASSWORD` bypass that accepts a single shared secret instead of verifying the target user's bcrypt hash.

In `verifyPasswordOfUser`, the code compares the supplied password directly against `this.masterPassword` (loaded from environment). If it matches, normal password hash verification is skipped:

```ts
const isMasterPasswordUsed = passwordToCheck === this.masterPassword;
if (!isMasterPasswordUsed) {
  // bcrypt compare only happens here
}
```

This creates an application-level backdoor: possession of `MASTER_PASSWORD` is sufficient to authenticate as any account, regardless of the user's real password.

The risk is amplified by service-user creation paths that rely on this same secret model, making it a systemic single-point-of-failure in authentication design.

# Proof of Concept

1. Deploy `humand-main-api` in a test environment where `MASTER_PASSWORD` is configured.
2. Choose any existing victim account (including admin).
3. Send a login request using the victim identifier and `MASTER_PASSWORD` as password.
4. Observe successful authentication and issuance of valid session/JWT for the victim account.

Example request shape:

```http
POST /auth/login
Content-Type: application/json

{
  "email": "victim@tenant.example",
  "password": "<MASTER_PASSWORD>"
}
```

Expected vulnerable behavior: login succeeds even when `victim@tenant.example`'s real password is unknown and does not match.

### Impact

Anyone who learns or obtains the global `MASTER_PASSWORD` can impersonate any user across tenants, including privileged administrators. This enables full account takeover, unauthorized data access, administrative action abuse, and broad compromise of tenant isolation.

### Occurrences

```
Permalink: https://github.com/HumandDev/humand-main-api/blob/bb975d08cc/src/api/modules/auth/business/services/auth.ts#L391
Description: verifyPasswordOfUser allows global master-password match before bcrypt verification

Permalink: https://github.com/HumandDev/humand-main-api/blob/bb975d08cc/src/api/modules/users/business/services/usersService.ts#L3883-L3889
Description: Service-user provisioning references master-password model, reinforcing single shared-secret risk
```

### References

```
URL: https://cwe.mitre.org/data/definitions/287.html
Name: CWE-287: Improper Authentication

URL: https://cwe.mitre.org/data/definitions/798.html
Name: CWE-798: Use of Hard-coded Credentials

URL: https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication
Name: OWASP Broken Authentication guidance
```
````