ID H1:289189
Type hackerone
Reporter 4w3
Modified 2017-11-13T20:00:45
Description
Hi,
I found a Javascript file where have many private credentials.
JS File
https://app.legalrobot.com/meteor_runtime_config.js
Code
__meteor_runtime_config__ = {"meteorRelease":"METEOR@1.5.2.2","meteorEnv":{"NODE_ENV":"production","TEST_METADATA":"{}"},"PUBLIC_SETTINGS":{"analyticsSettings":{"Google Analytics":{"trackingId":"UA-62872512-1"},"Intercom":{"appId":"nmyyq5i5"},"Keen IO":{"projectId":"556cb72a2fd4b162515c7ef8","writeKey":"dc0bfcfdeb1073312ebf28588828f224162ce8a2de411bbb563909191bfe4f6fc2f89749d64bc29ef1326e6f9520a7eec85ac68d1631abd3a211fea234f0b8f1d211bcd1a4f89d1a2ca7bdd5393dcc616155ba2eb65f0f26c14ecff30cef6958"}},"aws":{"files":{"region":"us-west-2"}},"contact":{"siteName":"Legal Robot","SMS":"(877) 413-4380","email":"hello@legalrobot.com","logo":"https://www.legalrobot.com/assets/img/logo.png","url":"https://www.legalrobot.com","shortUrl":"LegalRobot.com","address":"548 Market Street, Suite 28970, San Francisco, CA 94104","phone":"(415) 894-0240","facebook":"https://www.facebook.com/LegalRobot/","twitter":"https://twitter.com/legalrobot","instagram":"https://www.instagram.com/legalrobot/","googlePlus":"https://plus.google.com/+LegalRobot","linkedIn":"https://www.linkedin.com/company/legal-robot","fbAppId":"365463763640085"},"intercom":{"id":"nmyyq5i5"},"domain":"legalrobot.com","persistent_session":{"default_method":"temporary"},"stripe":{"publishableKey":"pk_live_aa7H8nClyv2IIShaDJGqDs9A"}},"ROOT_URL":"https://app.legalrobot.com","ROOT_URL_PATH_PREFIX":"","kadira":{"appId":"fqm5S7o42sAL2eD8T","endpoint":"https://apm-engine.meteor.com","clientEngineSyncDelay":10000,"enableErrorTracking":true},"appId":"zivmvxxevpdg1xu8kc5","accountsConfigCalled":true,"autoupdateVersion":"b63bfae847acb9cfe642ce499c53741902219d35","autoupdateVersionRefreshable":"6bb469fad9a6afa3ba3eb9dfb4e11067a35116ca","autoupdateVersionCordova":"325d666b7e9b79c77b59f2c48bc20ad9ed61033a"};
Private Data
{F238410}
"PUBLIC_SETTINGS":{"analyticsSettings":{"Google Analytics":{"trackingId":"UA-62872512-1"}`
* `Intercom":{"appId":"nmyyq5i5"}
Keen IO project id writeKey
Keen IO":{"projectId":"556cb72a2fd4b162515c7ef8","writeKey":"dc0bfcfdeb1073312ebf28588828f224162ce8a2de411bbb563909191bfe4f6fc2f89749d64bc29ef1326e6f9520a7eec85ac68d1631abd3a211fea234f0b8f1d211bcd1a4f89d1a2ca7bdd5393dcc616155ba2eb65f0f26c14ecff30cef6958"}}
Facebook App ID
"fbAppId":"365463763640085"}
Intercom id
intercom":{"id":"nmyyq5i5"}
Stripe PublishKey
stripe":{"publishableKey":"pk_live_aa7H8nClyv2IIShaDJGqDs9A"}
PublishKey
"publishableKey":"pk_live_aa7H8nClyv2IIShaDJGqDs9A"}},"ROOT_URL":"https://app.legalrobot.com","ROOT_URL_PATH_PREFIX":""
kadira
"kadira":{"appId":"fqm5S7o42sAL2eD8T","endpoint":"https://apm-engine.meteor.com"
App ID
"appId":"zivmvxxevpdg1xu8kc5"
See also on a report #124100
{F238415}
Looking forward to hearing from @legalrobot security team.
Warm Regard,
@4w3
{"id": "H1:289189", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Legal Robot: Exposes a series of other private credentials", "description": "Hi,\n\nI found a `Javascript` file where have many private credentials.\n\n# JS File\n* `https://app.legalrobot.com/meteor_runtime_config.js`\n\n# Code\n```\n__meteor_runtime_config__ = {\"meteorRelease\":\"METEOR@1.5.2.2\",\"meteorEnv\":{\"NODE_ENV\":\"production\",\"TEST_METADATA\":\"{}\"},\"PUBLIC_SETTINGS\":{\"analyticsSettings\":{\"Google Analytics\":{\"trackingId\":\"UA-62872512-1\"},\"Intercom\":{\"appId\":\"nmyyq5i5\"},\"Keen IO\":{\"projectId\":\"556cb72a2fd4b162515c7ef8\",\"writeKey\":\"dc0bfcfdeb1073312ebf28588828f224162ce8a2de411bbb563909191bfe4f6fc2f89749d64bc29ef1326e6f9520a7eec85ac68d1631abd3a211fea234f0b8f1d211bcd1a4f89d1a2ca7bdd5393dcc616155ba2eb65f0f26c14ecff30cef6958\"}},\"aws\":{\"files\":{\"region\":\"us-west-2\"}},\"contact\":{\"siteName\":\"Legal Robot\",\"SMS\":\"(877) 413-4380\",\"email\":\"hello@legalrobot.com\",\"logo\":\"https://www.legalrobot.com/assets/img/logo.png\",\"url\":\"https://www.legalrobot.com\",\"shortUrl\":\"LegalRobot.com\",\"address\":\"548 Market Street, Suite 28970, San Francisco, CA 94104\",\"phone\":\"(415) 894-0240\",\"facebook\":\"https://www.facebook.com/LegalRobot/\",\"twitter\":\"https://twitter.com/legalrobot\",\"instagram\":\"https://www.instagram.com/legalrobot/\",\"googlePlus\":\"https://plus.google.com/+LegalRobot\",\"linkedIn\":\"https://www.linkedin.com/company/legal-robot\",\"fbAppId\":\"365463763640085\"},\"intercom\":{\"id\":\"nmyyq5i5\"},\"domain\":\"legalrobot.com\",\"persistent_session\":{\"default_method\":\"temporary\"},\"stripe\":{\"publishableKey\":\"pk_live_aa7H8nClyv2IIShaDJGqDs9A\"}},\"ROOT_URL\":\"https://app.legalrobot.com\",\"ROOT_URL_PATH_PREFIX\":\"\",\"kadira\":{\"appId\":\"fqm5S7o42sAL2eD8T\",\"endpoint\":\"https://apm-engine.meteor.com\",\"clientEngineSyncDelay\":10000,\"enableErrorTracking\":true},\"appId\":\"zivmvxxevpdg1xu8kc5\",\"accountsConfigCalled\":true,\"autoupdateVersion\":\"b63bfae847acb9cfe642ce499c53741902219d35\",\"autoupdateVersionRefreshable\":\"6bb469fad9a6afa3ba3eb9dfb4e11067a35116ca\",\"autoupdateVersionCordova\":\"325d666b7e9b79c77b59f2c48bc20ad9ed61033a\"};\n```\n\n# Private Data\n\n{F238410}\n\n```\n\"PUBLIC_SETTINGS\":{\"analyticsSettings\":{\"Google Analytics\":{\"trackingId\":\"UA-62872512-1\"}`\n* `Intercom\":{\"appId\":\"nmyyq5i5\"}\n```\n\n#### Keen IO project id writeKey \n```\nKeen IO\":{\"projectId\":\"556cb72a2fd4b162515c7ef8\",\"writeKey\":\"dc0bfcfdeb1073312ebf28588828f224162ce8a2de411bbb563909191bfe4f6fc2f89749d64bc29ef1326e6f9520a7eec85ac68d1631abd3a211fea234f0b8f1d211bcd1a4f89d1a2ca7bdd5393dcc616155ba2eb65f0f26c14ecff30cef6958\"}}\n```\n\n#### Facebook App ID\n```\n\"fbAppId\":\"365463763640085\"}\n```\n\n#### Intercom id\n```\nintercom\":{\"id\":\"nmyyq5i5\"}\n```\n\n#### Stripe PublishKey\n`stripe\":{\"publishableKey\":\"pk_live_aa7H8nClyv2IIShaDJGqDs9A\"}`\n\n#### PublishKey \n```\n\"publishableKey\":\"pk_live_aa7H8nClyv2IIShaDJGqDs9A\"}},\"ROOT_URL\":\"https://app.legalrobot.com\",\"ROOT_URL_PATH_PREFIX\":\"\"\n```\n\n### kadira\n```\n\"kadira\":{\"appId\":\"fqm5S7o42sAL2eD8T\",\"endpoint\":\"https://apm-engine.meteor.com\"\n```\n#### App ID\n```\n\"appId\":\"zivmvxxevpdg1xu8kc5\"\n```\n\n### See also on a report #124100\n{F238415}\n\n\nLooking forward to hearing from @legalrobot security team.\n\nWarm Regard,\n@4w3", "published": "2017-11-10T14:54:49", "modified": "2017-11-13T20:00:45", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://hackerone.com/reports/289189", "reporter": "4w3", "references": [], "cvelist": [], "lastseen": "2018-04-19T17:34:11", "viewCount": 3, "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2018-04-19T17:34:11", "rev": 2}, "dependencies": {"references": [], "modified": "2018-04-19T17:34:11", "rev": 2}, "vulnersScore": -0.2}, "bounty": 0.0, "bountyState": "duplicate", "h1team": {"url": "https://hackerone.com/legalrobot", "handle": "legalrobot", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/001/601/9242a6d1525aeaccd124e9bd6f222a3ca41f3de9_medium.png?1472852893", "small": "https://profile-photos.hackerone-user-content.com/000/001/601/d66a130fccecc6d857e39f8b4251b67e4dfcc9db_small.png?1472852893"}}, "h1reporter": {"username": "4w3", "disabled": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/140/774/ae3c8a66504c3de0fed59fd3d09b2c1d536ac5ff_small.png?1509546316"}, "url": "/4w3", "hacker_mediation": false, "is_me?": false, "hackerone_triager": false}}
{}
