Administrative Credentials Stored in Cache Memory - Elixir

Need

Prevent unauthorized access to administrative credentials

Context

1. Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
2. Usage of ETS for caching

Description

Insecure Code Example

defmodule MyApp.Cache do
 def store_credentials(username, password) do
 :ets.new(:creds, [:public, :named_table])
 :ets.insert(:creds, {username, password})
 end
end

In the below code, admin credentials are stored directly into the Elixir's ETS (Erlang Term Storage) which acts as in-memory store. If an attacker manages to dump the ETS table, they can gain access to sensitive data.

Steps

1. Install the Comeonin library for password hashing: mix deps.get comeonin.
2. Hash sensitive data before storing them in cache or memory.
3. Avoid storing sensitive information in plain text.
4. Ensure secure configuration of cache or memory storage.

Secure Code Example

defmodule MyApp.Cache do
 def store_credentials(username, password) do
 hashed_password = Bcrypt.hashpwsalt(password)
 :ets.new(:creds, [:public, :named_table])
 :ets.insert(:creds, {username, hashed_password})
 end
end

In the below secure code, the admin credentials are hashed before being stored into the ETS. This means even if an attacker dumps the ETS table, they cannot gain access to the actual admin credentials.

References

Last updated

2023/09/18