Private variables can be accessed by other users in PasswordStore contract.
Summary
This report describes a vulnerability in the PasswordStore contract that allows attackers to access the owner and password variables even though they are declared as private. This vulnerability could allow attackers to steal passwords and gain access to user accounts.
Vulnerability Details
The vulnerability is due to the fact that the owner and password variables are stored in storage slots on the Ethereum blockchain. Anyone can view the values of storage slots, even if they cannot access the variables directly. While the contract intends to restrict access to these variables, the use of private may not provide a sufficient level of security. Malicious users may employ low-level techniques to access storage slots potentially compromising the privacy of the owner and the stored password.
Impact
The impact of this vulnerability is that it could allow attackers to steal passwords and gain access to user accounts. This could have a number of negative consequences for users including financial loss, identity theft and damage to reputation.
Tools Used
Manual analysis
Recommendations
Avoid storing sensitive information on the blockchain.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.