BitcoinBeach

Findings · 24

1. 1 Insecure download process for the yq tool Low
2. 2 Use of unencrypted HTTP scheme Low
3. 3 Lack of expiration and revocation mechanism for JWTs Medium
4. 4 Use of insecure function to generate phone codes Low
5. 5 Redundant basic authentication method Informational
6. 6 GraphQL queries may facilitate CSRF attacks Low
7. 7 Potential ReDoS risk Informational
8. 8 Use of MD5 to generate unique GeeTest identifiers Low
9. 9 Reliance on SMS-based OTPs for authentication Medium
10. 10 Incorrect handling and implementation of SMS OTPs High
11. 11 Vulnerable and outdated Node packages Medium
12. 12 Outdated and internet-exposed Grafana instance High
13. 13 Incorrect processing of GET path parameter Low
14. 14 Discrepancies in API and GUI access controls Low
15. 15 Cloud SQL does not require TLS connections Low
16. 16 Kubernetes node pools are not configured to auto-upgrade Informational
17. 17 Overly permissive firewall rules Medium
18. 18 Lack of uniform bucket-level access in Terraform state bucket Informational
19. 19 Insecure storage of passwords Medium
20. 20 Third-party container images are not version pinned Low
21. 21 Compute instances do not leverage Shielded VM features Informational
22. 22 Excessive container permissions Low
23. 23 Unsigned and unversioned Grafana BigQuery Datasource plugin Low
24. 24 Insucient validation of JWTs used for GraphQL subscriptions Low

Findings extracted from the published report PDF. See the full report below for details and remediation.