"Private" Password can still be seen by anyone as contracts are open source
Summary
The contract's comments hint that you are able to store a private password that nobody can see, but that is impossible in the sense implied.
Vulnerability Details
As per the contract's comment:
Anyone can access a smart contract's code once it's deployed on the blockchain. Since it is transparent and accessible, the data will be visible and not private in the real-life non coding sense.
From the Secureum Bootcamp:
Since the blockchain is open-source, data with the modifier "private" is never private. It is advised to never store sensitive data on the blockchain.
Impact
Your private password is not so private :) Rating this as high since the password could be crucial to some financial account where funds are stored.
Tools Used
Manual Review
Recommendations
Do not store sensitive information like passwords on the blockchain.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.