# humand-web — Hardcoded SCORM Cloud API credentials exposed in frontend bundle
STATUS: DRAFT
program: humand-web | platform: huntr | repo: HumandDev/humand-web | commit: 2026-02-13-scan

````
Repository URL: https://github.com/HumandDev/humand-web
Package Manager: npm
CVSS: Attack Vector: Network
Title: humand-web — Hardcoded SCORM Cloud API credentials exposed in frontend bundle
Description:

## huntr Form Fields

```
Package Manager: npm
Version Affected: latest frontend build (observed in 2026-02-13 scan)
Vulnerability Type: Use of Hard-coded Credentials
CVSS:
  Attack Vector: Network
  Attack Complexity: Low
  Privileges Required: None
  User Interaction: None
  Scope: Unchanged
  Confidentiality: High
  Integrity: High
  Availability: Low
Title: SCORM Cloud API Basic credentials hardcoded in client-side code
```

### Description

# Description

The frontend defines a dedicated Axios client for SCORM Cloud with a static Basic Authorization header hardcoded directly in source code.

Because this code runs in the browser, the secret is exposed to any user via source inspection, devtools network tab, or static bundle extraction.

Observed code:

```ts
export const scormApi = axios.create({
  baseURL: 'https://cloud.scorm.com/api/v2',
  headers: {
    Authorization:
      'Basic NjU3TjRJUllDVDpnVmFSWTJEUExDZ215SUIzeVA2a2tDUmpZcjE4aFJzOUVxMkx2cVdS',
  },
});
```

Decoded credential pair:

`657N4IRYCT:gVaRY2DPLCgmyIB3yP6kkCRjYr18hRs9Eq2LvqWR`

This is not a public API key pattern; it is a long-lived credential used directly against SCORM Cloud v2.

# Proof of Concept

1. Load the web app in a browser and open DevTools.
2. Locate the SCORM API initialization in bundled JS (or inspect source in repository).
3. Copy the `Authorization: Basic ...` value.
4. Replay requests directly to SCORM Cloud API from any machine.

Example:

```bash
curl -i https://cloud.scorm.com/api/v2/apps \
  -H 'Authorization: Basic NjU3TjRJUllDVDpnVmFSWTJEUExDZ215SUIzeVA2a2tDUmpZcjE4aFJzOUVxMkx2cVdS'
```

Expected result: API call is authenticated using extracted credentials.

### Impact

An attacker can query/modify SCORM resources depending on account permissions: learning assets, registrations, learner progress metadata, and potentially training content operations. Because the credential is embedded client-side, rotation is the only immediate remediation once leaked.

### Occurrences

```
Permalink: <private-repo>/src/config/api.ts#L98-L104
Description: Frontend SCORM API client hardcodes Basic Auth credential in browser-executed code
```

### References

```
URL: https://cwe.mitre.org/data/definitions/798.html
Name: CWE-798: Use of Hard-coded Credentials

URL: https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/
Name: OWASP A07: Identification and Authentication Failures
```
````