Hey there,

Just responsibly disclosing that the `https://bidslammer.com/js/demoController.js` web resource discloses an API key to use on your platform.

In addition, your application - upon successful authentication and redirection to `https://bidslammer.com/index.php/user/`, discloses not only the password hash (passhash), but the cleartext credential (password) of the user who has authenticated, along with the ebayEIASToken and ebayToken used to authenticate with ebay (presumably).

As a recommendation, I suggest:
1 - removing demo API key
2 - Not storing credentials or secrets in cleartext (as well as not disclosing them to a browsing user) 3 - Not using SHA1 hashing mechanism for generating password hashes. An alternative could be bcrypt (https://www.php.net/manual/en/function.password-hash.php)

Further reading can be observed here: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

Thanks very much have have a great day :)

Hello Chris,

Thank you for the report. The second thing you reported is critical and I'll let you know when we have done a hotfix so you can take a look.

Did you use an AI scrubber of some kind, or just View Source?

The public API key isn't a big deal since it can only do public searches.