How I Found a Hardcoded RSA Private Key in a Major Crypto Exchange's Frontend
This vulnerability involved hardcoding an RSA private key in the frontend of a major cryptocurrency exchange. The researcher discovered the key during source code review, finding it embedded in JavaScript. This key was used for client-side encryption, making it possible for attackers to decrypt sensitive data such as user credentials and API keys. The researcher exploited this flaw by intercepting network traffic, replacing the encrypted data with plaintext data, and observing the decrypted response using the hardcoded RSA private key. This allowed the researcher to access user accounts and sensitive data. The researcher received $5,000 as part of the HackerOne bug bounty program. To fix this, remove hardcoded private keys from the frontend and store keys securely in the backend. Key lesson: Securely handle sensitive data, never hardcode private keys in the frontend. #BugBounty #Cybersecurity #WebSecurity #RSA #APIKeyLeak

https://medium.com/@HackerMD/how-i-found-a-hardcoded-rsa-private-key-in-a-major-crypto-exchanges-frontend-dd27b6a78fb2?source=rss------bug_bounty-5