Weather Witness
First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Using http for getting geo location

perun84

Root + Impact

Description

  • JS script Weather is using http to fetch information on geolocation based on zip and country codes.

const geoCodingRequest = Functions.makeHttpRequest({
> url: "http://api.openweathermap.org/geo/1.0/zip",
method: "GET",
params: { zip: `${args[0]},${args[1]}`, appid: secrets.apiKey }
})

Risk

Likelihood:

  • Not high

Impact:

  • If someone intercepted traffic, he/she will have api key for openweather. Also it would be possible to modify response and break dapp functionallity

Proof of Concept

Anyone able to intercept network traffic between the Chainlink Functions node and the OpenWeatherMap API endpoint (e.g., via a compromised network or malicious ISP) could read the API key and potentially modify the response.

N/A

Recommended Mitigation

Switch to https could help to reduce risk of exposing api key and/or intercepting request and modifying response

const geoCodingRequest = Functions.makeHttpRequest({
- url: "http://api.openweathermap.org/geo/1.0/zip",
+ url: "https://api.openweathermap.org/geo/1.0/zip",
method: "GET",
params: { zip: `${args[0]},${args[1]}`, appid: secrets.apiKey }
})
Updates

Appeal created

bube Lead Judge 23 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Use of `http` instead of `https` for getting geo location

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.