Swiftype key stored in JavaScript source
Discovered by sauravpratihar on Newrelic

This issue took 1 Days and 6 hours to triage and 5 Days and 2 hours to close the report once triaged.



Hi,

I am surfing on the newrelic website. I found a sensitive data including authentication key written in public accessible javascript file.

Some 3rd party solution SwiftType newrelic using for crawling or search/suggestion. below is the link where you can find the auth_key. which would be able to destroy everything including Create/Edit/Destroy engines, Create/Edit/Delete/View domain for crawling, Create/Edit/Delete/View Document types, also all the Search analytics, Total clicks, top queries, Auto completes everything.

https://learn.newrelic.com/sites/all/libraries/newrelic/swiftype_lib.js

you can check this api: https://api.swiftype.com/api/v1/engines.json?auth_token=6Crhyrh7Ue_ju3_B3zt7

Impact

Create/Edit/Destroy engines, Create/Edit/Delete/View domain for crawling, Create/Edit/Delete/View Document types, also all the Search analytics, Total clicks, top queries, Auto completes everything.