Clearpool
Exposure of Environment Variables via __ENV.js at gov-test.clearpool.finance #25
NoRed0x
started this conversation in
Bug reports
Replies: 1 comment 2 replies
-
Beta Was this translation helpful? Give feedback.
2 replies
-
|
@zolotokrylin, @VarinderClearpool we are not using React in none of our apps. The site seems fake, please be careful. |
Beta Was this translation helpful? Give feedback.
-
|
Log: Checked cloudflare and we have such DNS |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Description:
The file __ENV.js hosted at https://gov-test.clearpool.finance/__ENV.js exposes sensitive front-end environment variables intended for internal application configuration. The exposed JSON object includes critical API keys and service identifiers such as:
Google API Key (REACT_APP_GOOGLE_API_KEY)
Stripe Public Key (REACT_APP_STRIPE_PUBLIC_KEY)
Firebase Project Configuration (REACT_APP_GOOGLE_STORAGE_BUCKET, AUTH_DOMAIN, PROJECT_ID, etc.)
WalletConnect Project ID
Telegram Bot ID
Decent API Key
Iframely API Key
Datadog Client Token
While some of these keys (e.g. Stripe public key or Firebase app ID) are meant to be publicly accessible, others, such as API keys and tokens, could potentially be abused if not properly scoped or restricted.
Impact:
Abuse of 3rd-Party APIs: Attackers can use leaked API keys to interact with 3rd-party services (e.g., Google APIs, Iframely) on behalf of the organization, possibly incurring costs or accessing unintended data.
Reconnaissance Vector: Disclosure of project IDs, bot IDs, and service configurations can aid adversaries in fingerprinting backend infrastructure and planning targeted attacks.
Phishing or Social Engineering: Publicly exposed OAuth client IDs and messaging sender IDs could be leveraged in crafting convincing phishing campaigns.
Potential Lateral Movement: If any of the exposed keys are not properly restricted, they might be used to gain limited access to backend services or trigger events in connected environments (e.g., WebSocket endpoints, WalletConnect integrations).
Note: While these are front-end environment variables and some exposure is expected in browser-based apps, the inclusion of sensitive or unscoped API keys significantly increases the attack surface and risk.
window.__ENV = {"REACT_APP_GOOGLE_STORAGE_BUCKET":"charmverse-6827a.appspot.com","REACT_APP_STRIPE_PUBLIC_KEY":"pk_live_51JkML9CoqmaE6diLScT7ZRlYumIhNHEFHiKxL3QR5hx4gSF6u9e7KBFZi7HWQW1VOlEdu3nBAxvh5aywTsfZuuyH00HUVPLmaJ","REACT_APP_GOOGLE_AUTH_DOMAIN":"charmverse-6827a.firebaseapp.com","REACT_APP_BUILD_ID":"d454fbbc1e2f61e2c45782bee45d647048f98fff16649f055770efa6d60f6c9f","REACT_APP_TELEGRAM_BOT_ID":"5238575648","REACT_APP_DECENT_API_KEY":"42c19c7ae518ab3fd1303a7f90cbbdce","REACT_APP_GOOGLE_PROJECT_ID":"charmverse-6827a","REACT_APP_GOOGLE_APP_ID":"1:271935150045:web:8b19b0b83443ba1c460834","REACT_APP_DD_CLIENT_TOKEN":"pub32d724416b72a1fc57cca6c09e5b9ffe","REACT_APP_IFRAMELY_API_KEY":"01be3addb77b41d248450b3b13836d3b","REACT_APP_GOOGLE_API_KEY":"AIzaSyDC9PjCajeSppv70skjwFixm-n5H799nSQ","REACT_APP_WALLETCONNECT_PROJECTID":"7df6326ad9bf1c4afb07fe6843a8942e","REACT_APP_GOOGLE_OAUTH_CLIENT_ID_SENSITIVE":"969807089634-5bg1ljjosokj2thii73vpc2hgcnnal6q.apps.googleusercontent.com","REACT_APP_GOOGLE_MESSAGING_SENDER_ID":"271935150045","REACT_APP_WEBSOCKETS_HOST":"https://sockets.charmverse.io","REACT_APP_APP_ENV":"production"};
Beta Was this translation helpful? Give feedback.
All reactions