Cybersecurity issue: CWE-798 hard-coded authentication in web client side

Samuel.Chou.OM · December 20, 2024, 4:48am

Team ID:

https://go.glideapps.com/o/lxYiTW2xZd5JdolIXarV/

App ID:

https://go.glideapps.com/app/TusQVIs3ZvE7aC2eR6ws/layout

Description

As our client requested, we ran an source code security analysis report, targeting the source code from web-client side.

The result shows that there’s a risk called “Credential Management: Hardcoded API Credentials”, type “CWE-798”, which is leveled as Critical risk.

I wonder if the team could fix it soon? As client asking that if this should be worried about.

How to replicate

Open any of your Glide App web-client page.
Navigate to the Sources. For example, in Google Chrome, open DevTools > Sources.
Navigate to the code of sw-prod-v4.js > your-app-name.glide.page > static/js > sw-common-alotoftokens.js
Search keywords in the code, ex. apiKey: appId

You will find some keys / auth tokens are hard-coded in that script, like this:

I took a quick look to other website services like WordPress, wix, Google, Facebook, etc. It seems that the hard-coded authentication does not exist in their web service.

MaximeBaker · December 20, 2024, 11:29am

The API key is probably an ANON key.

@NoCodeAndy Am I right?

Topic		Replies	Views
Security Audit Findings for Custom Glide App - Seeking Expert Feedback Ask for Help security	8	236	July 2, 2024
Security - mobile app Ask for Help	1	232	March 7, 2022
HELP! Is Glide down? General	5	508	November 3, 2022
Glide's Penetration Test Report Ask for Help	4	475	April 11, 2022
Hmac-sha1 and JWT Ask for Help	3	227	August 22, 2023

Cybersecurity issue: CWE-798 hard-coded authentication in web client side

Related topics