Earned a Bug Bounty for Responsibly Disclosing a Vulnerability in the Zoho Vault Browser Extension

By /

Listen to this Post

Featured Image
While reverse-engineering the Zoho Vault browser extension, security researcher Ranjeet Jagtap discovered hardcoded `client_id` and `client_secret` in the `zvconfig.json` file, posing a significant security risk. Such exposed credentials could allow attackers to bypass authentication, escalate privileges, or perform unauthorized API calls.

You Should Know:

  1. How to Identify Hardcoded Secrets in Browser Extensions
    Browser extensions often store configuration files in plaintext. To inspect them:

For Chrome/Edge Extensions:

1. Navigate to:

cd ~/.config/google-chrome/Default/Extensions/

2. Locate the extension ID (or find it via chrome://extensions).

3. Unpack the extension:

unzip -q <extension_id>.crx -d ./zoho_vault_inspect

4. Search for sensitive data:

grep -r "client_id|client_secret|api_key" ./zoho_vault_inspect

For Firefox Extensions:

1. Find the extension in:

cd ~/.mozilla/firefox/.default-release/extensions/

2. Extract and analyze:

unzip <extension_name>.xpi -d ./ff_extracted

2. Mitigating Hardcoded Secrets

  • Use Environment Variables: 
    const clientId = process.env.CLIENT_ID;
  • Encrypt Secrets: Use tools like AWS KMS or Hashicorp Vault.
  • Automated Scanning: Use TruffleHog or GitLeaks: 
    trufflehog filesystem --directory=./project_dir

3. Responsible Disclosure Steps

1. Verify the Vulnerability:

curl -H "Authorization: Bearer <client_secret>" https://api.zoho.com/v1/data

2. Report via Platform: Use Zoho’s bug bounty program (HackerOne/Email).

3. Follow Up: Ensure a patch is deployed.

What Undercode Say:

Hardcoded credentials remain a critical flaw in many applications. Developers must:
– Avoid storing secrets in client-side code.
– Implement OAuth2 with PKCE for secure authentication.
– Regularly audit extensions using Burp Suite or OWASP ZAP: 

zap-cli quick-scan --spider -o -r http://target.com

Expected Output:

  • A patched Zoho Vault extension.
  • Increased awareness of hardcoded secrets in browser extensions.

Prediction:

More browser extensions will face scrutiny for insecure credential storage, leading to stricter security guidelines from Chrome Web Store and Firefox Add-ons.

(Source: LinkedIn Post by Ranjeet Jagtap)

References:

Reported By: Ranjeet Jagtap – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: