Cleartext password in LocalStorage (Writeup)

ruvlol
ruvlol
Jul 7 · 2 min read

Hey. I want to share a cool and uncommon vulnerability I found in one of bug bounty programs.

Once I was testing an application, I suddenly decided to look into LocalStorage content. For those who are not familiar, LocalStorage is a key-value storage in browsers. It is not safe to use LocalStorage for storing a sensitive information, because it is always accessible from javascript. Unlike cookies, when setting one you can simply add a HttpOnly flag to make it safe against XSS attacks (unless you reflect it somewhere else), but in case of LocalStorage there is no such thing, it is impossible to restrict access to javascript and any XSS on target origin compromises it’s LocalStorage completely.

By the way, it is also reasonable to look into SessionStorage along. The difference between them is that LocalStorage keys are not expiring, while SessionStorage keys expiring after tab closing. In case of XSS it is possible to get SessionStorage keys, if XSS is stored.

So, basically I was looking for something like api keys or tokens if they were saved there. Once I opened it in browser (F12 -> Storage -> LocalStorage | SessionStorage), I saw only one row and it was log history for marketing purpose.

It is a big json containing any action I did on a website. It also had an object with two fields:

[{

“account.username” : “ruvlol”,

“account.password” : “redacted”

}]

On the moment I saw that I didn’t believe it. This behaviour was constant, giving absolutely same results after I logged in the application via blank browser and looked in LocalStorage.

I reported it immediately and got $1500 bounty which was a High severity according to their policy.

It only required to run following javascript to get someone else’s password:

var test = JSON.parse(localStorage.edited);

console.log(‘your username is: ‘ + test.edited.account.username + ‘ and your password is: ‘ + test.edited.account.password);

By the way, I have patreon where I am writing infosec articles. If you are interested you can check it out on https://www.patreon.com/ruvlol , I am working hard to make it a good source of ethical hacking exprience, a lot of articles are coming there including bug bounty writeups.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade