I found some hardcoded Google credentials in a third-party app for an online shop, including access and refresh tokens, and I was shocked to see they weren't encrypted. As a non-developer, this didn't seem right to me. After digging around and consulting ChatGPT for about 6-12 hours, I discovered the same script appeared in 44 different online stores using the app. I took action by informing the online shop's support, HackerOne, and the third-party app developers. A week later, HackerOne said this isn't a high risk for the company, the shop said they would look into it, and the app developers haven't responded. Now, I'm left wondering if I did the right thing, whether I should do more, or if this really is a significant security vulnerability. Should I reach out to the stores individually, or wait to see what happens?
1 Answer
From what you're saying, it seems like the refresh tokens are user-specific and tied to client credentials. If the client secret isn't exposed, there shouldn't be a major issue. However, I totally understand your concern. In general, refresh tokens are opaque and meant to operate under specific conditions. Trusting everything ChatGPT says might not be the best approach, though!
Thanks for the clarification! But wouldn’t just having the refresh token and client ID allow someone to generate a new access token if they're using a public client?