Critical Security Vulnerability: API Key Transmitted over Plaintext HTTP #309
Description
I've identified a critical security vulnerability in the tools module where authentication credentials (apikey) are transmitted over unencrypted HTTP connections.
In both tools/cwrap.py and tools/pwrap.py, the code explicitly constructs URLs using the http:// protocol instead of https://. For eg:
tools/cwrap.py
r = requests.post('http://www.controlcore.org/pm/'+yuyu+apikey+'&fetch='+name2, ...)
tools/pwrap.py
r = requests.post('http://www.controlcore.org/init/'+yuyu+apikey, ...)
Impact: Any attacker on the same network (e.g., public Wi-Fi) or in a position to intercept traffic (ISP, compromised router) can capture the full URL request, which includes the apikey. This leads to minimal effort account compromise.
Steps to Reproduce:
-
Inspect tools/cwrap.py or tools/pwrap.py.
-
Search for requests.post calls.
-
Observe the hardcoded http:// schema.
Suggested Fix wiol be, update all endpoint references to use https://. Ensure the server supports TLS (which controlcore.org likely does).