shsuishang ShopSuite ModulithShop Hard-Coded Credentials Vulnerability

A vulnerability exists in shsuishang ShopSuite ModulithShop versions prior to 45a99398cec3b7ad7ff9383694f0b53339f2d35a, involving hard-coded cryptographic secrets and database credentials within the Java source code. This issue affects the RSA, OAuth2, and database components, posing a significant security risk as these secrets are compiled into the application binary and can be exposed through source code repositories or reverse engineering. The vulnerability allows for the extraction of private keys, impersonation of OAuth2 clients, and unauthorized access to databases, particularly staging or development environments.

Impact

The hard-coded credentials can be extracted and misused, leading to unauthorized access and actions within the application. This includes decrypting data encrypted with the exposed RSA keys, forging encrypted messages, impersonating OAuth2 clients (mobile, admin, or WeChat), and accessing staging or development databases through extracted database credentials.

Remediation

It is recommended to rotate all exposed secrets, including RSA keys, OAuth2 client secrets, and database passwords. After rotating the secrets, remove hard-coded credentials from the source code and replace them with configuration injections that load secrets from external sources such as environment variables or secret management tools. Long-term solutions include adopting security-first development practices, establishing code review guidelines, controlling access to production secrets, and securing test code.