Info Leak Private Program 2025-04-01
Hardcoded API Keys Exposed in JavaScript Bundle
Severity: High | Status: Resolved
Summary
Using source map analysis, I discovered hardcoded API keys for Stripe, SendGrid, and internal services in the minified JavaScript.
Proof of Concept
// Found in app.bundle.js
const STRIPE_KEY = "sk_live_xxx...";
const SENDGRID_KEY = "SG.xxx...";Impact
Unauthorized access to payment processing and email infrastructure.
Responsible Disclosure
This vulnerability was reported responsibly and fixed by the vendor before public disclosure.