logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Business Information Leak - Credentials - Elixir

Need

Prevent leakage of sensitive credentials

Context

  1. Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  2. Usage of Plug (1.11.0 and above) for building composable web applications in Elixir

Description

Insecure Code Example

defmodule MyApp.Config do
  @api_key "hard-coded-api-key"

  def get_api_key do
    @api_key
  end
end

The code hard-codes a sensitive API key, which exposes the key if the code is leaked. An attacker obtaining this key can misuse it to impersonate the application.

Steps

  1. Remove hard-coded sensitive credentials from the code.
  2. Store sensitive credentials securely, such as in environment variables, or in encrypted configuration files.

Secure Code Example

defmodule MyApp.Config do
  def get_api_key do
    System.get_env("API_KEY")
  end
end

The code retrieves the API key from an environment variable instead of hard-coding it. Even if the code is leaked, the sensitive API key remains secure.

References

  • 214 - Business Information Leak - Credentials

    • Last updated

    2023/09/18