← Back to all reports

Public JavaScript Bundle Leaks Production Provider Key, Enabling Unauthenticated Webhook CRUD

Reported Feb 21, 2026
Severity Critical
Platform Web
Vulnerability Class Hardcoded Secrets (CWE-798)
Target Type Web3 Quests / Loyalty Platform
Impact Unauthenticated write access to a billed third-party account

The Risk

The platform was shipping a paid third-party account key inside the public website code. Anyone visiting the site could pull that key out and use it to add or delete automated alerts on the company's external service account, all without logging in to anything. That meant an outsider could break the company's automated workflows or run up its bill on a metered service, with nothing more than a web browser.

The Vulnerability

The site was a Next.js application that exposed environment values prefixed for client use. One of those values was a production blockchain data provider API key, embedded in plaintext inside the public _app JavaScript chunk served to every visitor.

The bundle path itself was easy to discover from the homepage HTML, and a simple search inside the bundle for the variable name returned the full RPC URL with the key included as a query string parameter.

The Attack

Locating the Key

Fetching the homepage and grepping for the _app chunk reference produced the exact bundle URL. A single curl request retrieved the bundle, and a search for the provider variable name yielded the URL with the API key in cleartext.

Confirming Read Access

Posting a basic JSON-RPC method to the provider URL returned an HTTP 200 with a valid response, confirming the key was active. A premium asset-listing endpoint also returned data, confirming paid tier access was attached to the leaked key.

Webhook Create and Delete

The provider's webhook management endpoint accepted the same key as a query string credential. An unauthenticated POST created a new webhook (HTTP 201) returning a webhook ID. A follow-up DELETE on that ID returned HTTP 200, removing the test entry. The same primitive could be used to delete the platform's existing operational webhooks.

The Impact

  • Unauthenticated write access to the platform's third-party provider account, billed to the platform.
  • Operational disruption: deletion of legitimate webhooks would break workflows that depend on them.
  • Financial exposure through unauthorized consumption of metered premium endpoints.
  • Additional provider keys were exposed in the same bundle, indicating a systemic pattern of shipping secrets in client environment variables.

Remediation

  • Rotate the exposed provider keys immediately and audit the upstream account for unexpected webhooks or configuration changes.
  • Remove all production secrets from client bundles. Public environment variables should never carry credentials.
  • Proxy provider API interactions through a server-side service that enforces authentication, scoping, and rate limits.
  • Add CI/CD secret scanning on built JavaScript artifacts, not just source code, so credentials cannot reach production unnoticed.
  • Review every client-exposed environment variable and confirm none of them contain secrets.

All findings anonymized per responsible disclosure policies. No target names, endpoints, or identifiable details are included.