Business Information Leak

Business Information Leak - Credentials

Need

Prevent leakage of sensitive credentials

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications

• Usage of Plug (1.11.0 and above) for building composable web applications in Elixir

Description

1. Non compliant code

defmodule MyApp.Config do
  @api_key "hard-coded-api-key"

  def get_api_key do
    @api_key
  end
end

The code hard-codes a sensitive API key, which exposes the key if the code is leaked. An attacker obtaining this key can misuse it to impersonate the application.

2. Steps

• Remove hard-coded sensitive credentials from the code.

• Store sensitive credentials securely, such as in environment variables, or in encrypted configuration files.

3. Secure code example

defmodule MyApp.Config do
  def get_api_key do
    System.get_env("API_KEY")
  end
end

The code retrieves the API key from an environment variable instead of hard-coding it. Even if the code is leaked, the sensitive API key remains secure.

References

• 214. Business Information Leak - Credentials

On this page