Gophish Incorrect Access Control Vulnerability Allowing API Key Exposure

An incorrect access control vulnerability has been identified in Gophish versions through 0.12.1. The issue arises because the administrative dashboard exposes each user's long-lived API key in cleartext within the HTML and JavaScript of the page upon login. This exposure allows any script running in the browser context to access these permanent API credentials. The vulnerability enables persistent access to the application's REST API, as the API key remains valid outside of the web session. Regenerating the API key does not resolve the issue, as the new key is also embedded and exposed on subsequent logins.

Impact

Exploitation of this vulnerability allows for permanent access to the Gophish API using the exposed API key, even after the administrator logs out or rotates their credentials.

Reproduction

To reproduce this vulnerability, log into the Gophish administrative dashboard. Once logged in, open the page source or browser developer tools to inspect the embedded JavaScript. The user object will contain the API key in cleartext. After logging out and rotating the API key, logging back in will reveal that the new API key is again embedded in the page, demonstrating the persistence of the exposure.

Remediation

It is recommended to avoid embedding long-lived API credentials in client-side HTML or JavaScript. Instead, use short-lived session-bound tokens for user interface operations and only display API keys when explicitly requested by the user.