HackerOne Disclosed Reports - 2026-07-09

0 Replies, 15 Views

Logo
Medium
resolved

Kiro IDE Stores Auth Tokens with World-Readable Permissions (0644)


Bug reported by Sergio Garcia was disclosed at July 9, 2026, 3:31 pm   |   Incorrect Default Permissions

The Kiro IDE (version 0.11.107) wrote authentication tokens (access token and refresh token) to a file with world-readable permissions (0644). The file contained sensitive information, including the access token, refresh token, and profile ARN. This exposed the credentials to potential unauthorized access by local processes or users.


[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]



Users browsing this thread: 1 Guest(s)