Go Smtp Hardcoded Password
Description
Detects hardcoded credentials in SMTP authentication configurations in Go applications. When SMTP credentials are hardcoded in source code rather than loaded from secure configuration mechanisms, they can be exposed through source code access or version control, leading to unauthorized access to email services.
Detection Strategy
• Checks if the 'net/smtp' package is imported in the Go source file
• Identifies calls to smtp.PlainAuth function which handles SMTP authentication
• Examines the PlainAuth parameters to detect hardcoded username/password strings instead of variables or environment configurations
• Reports a vulnerability when credentials are passed as string literals directly to the authentication function
Vulnerable code example
func sendEmail() error {
// SECURITY ISSUE: Hard-coded credentials exposed in source code
password := "P@ssw0rd123!"
username := "admin@example.com"
auth := smtp.PlainAuth("", username, password, "smtp.example.com")
return smtp.SendMail("smtp.example.com:587", auth, username,
[]string{"recipient@example.com"}, []byte("test"))...✅ Secure code example
package main
import (
"os"
"smtp"
)
func sendEmail() error {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.