Weather Witness
First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

[EVMNINJA-WW08] Insecure HTTP Protocol Usage in API Request

evmninja

Root + Impact

Description

The geocoding API request uses an unencrypted HTTP connection rather than HTTPS, which exposes the API key and location data to potential man-in-the-middle attacks. Any data transmitted, including the API key and potentially sensitive location information, could be intercepted by malicious actors monitoring the network traffic.

const geoCodingRequest = Functions.makeHttpRequest({
url: "http://api.openweathermap.org/geo/1.0/zip",
method: "GET",
params: { zip: `${args[0]},${args[1]}`, appid: secrets.apiKey }
})

Risk

Likelihood:

High - Man-in-the-middle attacks on unencrypted connections are straightforward to execute.

Impact:

High - Exposing API keys could lead to unauthorized API usage and potential financial implications.

Proof of Concept

Recommended Mitigation

Use HTTPS for all API requests to ensure data is encrypted in transit.

const geoCodingRequest = Functions.makeHttpRequest({
url: "https://api.openweathermap.org/geo/1.0/zip",
method: "GET",
params: { zip: `${args[0]},${args[1]}`, appid: secrets.apiKey }
})
Updates

Appeal created

bube Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Use of `http` instead of `https` for getting geo location

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.