Bug Name
WebSocket Connection Logs Expose Proxy Credentials
Attack Scenario
WebSocket manager logs full proxy configuration at DEBUG level in two locations. If users configure authenticated proxies with username/password, proxy credentials appear in plaintext in logs.
Impact
Proxy credentials in log files exposed to anyone with log access (monitoring systems, log aggregation, shared hosting).
Components
File: /binance/websocket/binance_socket_manager.py, lines 44-51. Two logging.debug calls with self.proxies. parse_proxies() in utils.py extracts username/password.
Reproduction
- Configure WebSocket with authenticated proxy (http://user:pass@proxy:8080).
- Enable DEBUG logging.
- Full proxy URL with credentials visible in log output.
Fix
Sanitize proxy URLs before logging by stripping the userinfo component. Log only the proxy hostname.
Details
Finding ID: L-01
Severity: Low
Researcher: Independent Security Researcher -- Mefai Security Team
Bug Name
WebSocket Connection Logs Expose Proxy Credentials
Attack Scenario
WebSocket manager logs full proxy configuration at DEBUG level in two locations. If users configure authenticated proxies with username/password, proxy credentials appear in plaintext in logs.
Impact
Proxy credentials in log files exposed to anyone with log access (monitoring systems, log aggregation, shared hosting).
Components
File: /binance/websocket/binance_socket_manager.py, lines 44-51. Two logging.debug calls with self.proxies. parse_proxies() in utils.py extracts username/password.
Reproduction
Fix
Sanitize proxy URLs before logging by stripping the userinfo component. Log only the proxy hostname.
Details
Finding ID: L-01
Severity: Low
Researcher: Independent Security Researcher -- Mefai Security Team