Dart Dio Cleartext Sensitive Information
Description
This vulnerability detector identifies Dart applications using the Dio HTTP client to send sensitive information over unencrypted HTTP connections. When sensitive data like credentials, authentication tokens, or personal information is transmitted without HTTPS encryption, it can be intercepted by attackers performing man-in-the-middle attacks or network sniffing.
Detection Strategy
• The detector first verifies that the Dio HTTP client library is imported in the Dart code
• It examines all HTTP method calls (GET, POST, PUT, etc.) made through Dio client instances
• For each Dio HTTP call, it checks if the request is being made to an HTTP URL (non-encrypted) rather than HTTPS
• It analyzes the request content or context to determine if sensitive information is being transmitted
• A vulnerability is reported when a Dio HTTP call sends sensitive data over an unencrypted HTTP connection
Vulnerable code example
import 'package:dio/dio.dart';
// VULNERABLE: sending password over unencrypted HTTP
Future<void> login() async {
final dio = Dio();
await dio.post('http://api.example.com/login',
data: {'password': 'secret123'}); // credentials travel in cleartext
}...✅ Secure code example
import 'package:dio/dio.dart';
// SAFE: HTTPS encrypts credentials in transit
Future<void> login() async {
final dio = Dio();
await dio.post('https://api.example.com/login',
data: {'password': 'secret123'}); // credentials travel encrypted
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.