Plain Text Password Storage Vulnerability
Summary
Because the password is stored in plain text (not encrypted), it can be read by anyone.
Vulnerability Details
In this contract, the setPassword function is used to store user passwords on the blockchain. The issue is that some users might not know how to protect their passwords, and they might send them in an unprotected way (unencrypted). This makes it simple for anyone who knows how to read the contract's (using the cast storage command) storage to see the password.
Impact
This vulnerability places users at significant risk, as it allows anyone to read their passwords. Malicious actors could exploit this weakness to compromise user accounts and potentially engage in identity theft, fraud, or other malicious activities.
Tool used
Manual Review
Recommendations
-
User-Friendly Documentation: Given that not all users may be technically proficient, it is essential to provide clear and accessible documentation. Educate users about the importance of securely submitting their passwords in encrypted formats to ensure their data remains safe.
-
Encrypt Password Off-Chain*: Passwords should never be stored in plain text within a smart contract. Instead, implement proper encryption techniques to securely hash passwords before submitting them to the setPassword function. This approach ensures that only the hashed password is stored on the blockchain, protecting user data from potential leaks.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.