Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication
A hardcoded secret key used for signing JWTs is checked into source code ManyAPI routes do not check authentication print("\n" + "=" * 70) print("\n[SUMMARY]\n") print(f"Endpoints accessible WITHOUT authentication ({len(results['no_auth'])}):") for ep in results["no_auth"]: print(f" - {ep}") print(f"\nEndpoints accessible with FORGED JWT only ({len(results['jwt_only'])}):") for ep in results["jwt_only"]: print(f" - {ep}") print(f"\nEndpoints that rejected both ({len(results['both_fail'])}):") for ep, no_auth, jwt_auth in results["both_fail"]: print(f" - {ep} (no_auth: {no_auth}, jwt: {jwt_auth})") if …