Dark C0d3rs

Full Version: HackerOne Disclosed Reports - 2026-07-09
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Logo
Medium
resolved

Kiro IDE Stores Auth Tokens with World-Readable Permissions (0644)


Bug reported by Sergio Garcia was disclosed at July 9, 2026, 3:31 pm   |   Incorrect Default Permissions

The Kiro IDE (version 0.11.107) wrote authentication tokens (access token and refresh token) to a file with world-readable permissions (0644). The file contained sensitive information, including the access token, refresh token, and profile ARN. This exposed the credentials to potential unauthorized access by local processes or users.