Exposed Password Retrieval via Transaction Data
Vulnerability Details
The getPassword function returns the stored password in clear-text when called by the owner. While the function has a check to ensure only the owner can invoke it and retrieve the password, the actual return value, i.e., the password, is included in the transaction data. Since all transaction data on the Ethereum blockchain is publicly accessible, anyone using a block explorer or monitoring the contract's transactions can see the password in clear-text when the owner retrieves it.
Impact
High. This vulnerability exposes the password to anyone monitoring the blockchain, defeating the purpose of storing the password securely in the first place. It compromises the confidentiality of the stored password, making it accessible to potential adversaries.
Recommendations
Refrain from returning sensitive data, like passwords, directly in transaction outputs. If the purpose is to allow the owner to retrieve and view the password, consider alternative methods that maintain privacy, such as off-chain communication or encrypted data.
Re-evaluate the necessity of a function that returns the clear-text password. If the purpose of the contract is only to verify or update the password, a comparison function that doesn't expose the password might be more appropriate.
If retrieval is essential, employ encryption techniques so that even if the transaction data is viewed, the password remains secure. However, this introduces challenges related to key management and decryption.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.