Dart Io Cleartext Sensitive Information
Description
This detector identifies when Dart applications transmit sensitive information over unencrypted connections using dart:io package functions. Cleartext transmission exposes sensitive data to network eavesdropping and man-in-the-middle attacks, potentially compromising user credentials, personal information, or other confidential data.
Detection Strategy
• The detector only runs when the dart:io package is imported in the code
• It examines all selected nodes in the code that represent potential network operations
• For each node, it checks if the operation involves writing sensitive information in cleartext format
• A vulnerability is reported when a cleartext body write operation is detected that could transmit sensitive data over an unencrypted connection
Vulnerable code example
import 'dart:io';
// VULNERABLE: credentials sent over unencrypted HTTP
Future<void> sendPassword() async {
final client = HttpClient();
final request = await client.postUrl(Uri.parse('http://api.example.com/login'));
final password = 'secret123';
request.write(password); // Credentials travel in cleartext...✅ Secure code example
import 'dart:io';
// SAFE: credentials sent over encrypted HTTPS
Future<void> sendPassword() async {
final client = HttpClient();
final request = await client.postUrl(Uri.parse('https://api.example.com/login')); // Changed to HTTPS for encryption
final password = 'secret123';
request.write(password); // Credentials now travel encrypted...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.