First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Access Control Vulnerability on setPassword() function

azmaeengh

Summary

The setPassword() function on line 26 does not have any Access Control set in code. This allows anyone (Attacker) (not just the s_owner (Victim)) to set the password.

function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}

Vulnerability Details

Since setPassword() doesn't have any check/safeguard in place to make sure only the owner can call this function, Attacker will be able to call it and assign their own password.

Impact

Any person can call this function and set new password. If any Attacker changes the password, they could get (unauthorized) access to this password value (inside the PasswordStore Contract), which will be a security risk.

Tools Used

None

Recommendations

One way to make this function more secure, would be to use a require(), to check whether the person calling the function is the owner or not. Since we already have a variable that is storing the owner's address (s_owner), we can use this to make the code more secure. The code to implement this:

function setPassword(string memory newPassword) external {
require(msg.sender == s_owner, "only owner can set Password"); // This line will act as a safeguard. If require is false, then the next two lines of code wont be executed.
s_password = newPassword;
emit SetNetPassword();
}

This way, now the Attacker wont be able to store their own password using this function by calling it.

Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.