4

I know the SECRET_KEY for a website made in Django. The owner of the site has accidentally made the settings.py public.

What are the implications of making SECRET_KEY public? How can someone use this to attack the system?

From Django's official documentation, they have only mentioned what the SECRET_KEY is used for:

The secret key is used for:

  1. All sessions if you are using any other session backend than django.contrib.sessions.backends.cache, or are using the default
    get_session_auth_hash().
  2. All messages if you are using CookieStorage or FallbackStorage.
  3. All PasswordResetView tokens.
  4. Any usage of cryptographic signing, unless a different key is provided.
Anders
  • 64,406
  • 24
  • 178
  • 215
abybaddi009
  • 141
  • 4
  • If saying "hey, I know a bit about Django, and you shouldn't publish your settings file because [documentation link]" can get you persecuted in your country, I rather keep my head down. – user155462 Feb 07 '18 at 09:24
  • 1
    In my opinion it always a good thing to inform them of security related issues even if they do not have a responsible disclosure policy. Nothing should happen as long as you did not abuse this security issue. The response often is "panic" as in "we'll sue you". Just make clear that you're trying to help them out by disclosing this. You should be fine. – Jeroen Feb 07 '18 at 09:30
  • 3
    Possible duplicate of [How to report vulnerabilities without being regarded as a hacker?](https://security.stackexchange.com/questions/71905/how-to-report-vulnerabilities-without-being-regarded-as-a-hacker) – Sjoerd Feb 07 '18 at 12:24
  • 2
    I've edited out the question about how to go about reporting the vulnerability, as that's a side question and also a duplicate of https://security.stackexchange.com/q/71905/16960 . The main question around `SECRET_KEY` in Django is on-topic and should not be closed. – Xiong Chiamiov Feb 09 '18 at 01:42

2 Answers2

1

You can report it to the owner or the security team. Politely asking them to change the settings. You can provide them the correct documentation and also may suggest the proper settings. You are doing them a favor but the response you get depends on the person at the other end. They are not going to file a case against you, if you have not done any harm to them.

Navi
  • 116
  • 2
  • 10
0

I wouldn't count on their kindness and I would use Tor. Setup email account and use it to report that fact but only over Tor. You never know what kind of people are on the other side.

Aria
  • 2,706
  • 11
  • 19