Dark C0d3rs
HackerOne Disclosed Reports - 2026-07-09 - Printable Version

+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2026-07-09 (/Thread-HackerOne-Disclosed-Reports-2026-07-09)



HackerOne disclosed reports - 2026-07-09 - hashXploiter - 07-10-2026

Logo
Medium
resolved

Kiro IDE Stores Auth Tokens with World-Readable Permissions (0644)


Bug reported by Sergio Garcia was disclosed at July 9, 2026, 3:31 pm   |   Incorrect Default Permissions

The Kiro IDE (version 0.11.107) wrote authentication tokens (access token and refresh token) to a file with world-readable permissions (0644). The file contained sensitive information, including the access token, refresh token, and profile ARN. This exposed the credentials to potential unauthorized access by local processes or users.