Skip to content

[Security] WebSocket Connection Logs Expose Proxy Credentials #259

Description

@mefai-dev

Bug Name

WebSocket Connection Logs Expose Proxy Credentials

Attack Scenario

WebSocket manager logs full proxy configuration at DEBUG level in two locations. If users configure authenticated proxies with username/password, proxy credentials appear in plaintext in logs.

Impact

Proxy credentials in log files exposed to anyone with log access (monitoring systems, log aggregation, shared hosting).

Components

File: /binance/websocket/binance_socket_manager.py, lines 44-51. Two logging.debug calls with self.proxies. parse_proxies() in utils.py extracts username/password.

Reproduction

  1. Configure WebSocket with authenticated proxy (http://user:pass@proxy:8080).
  2. Enable DEBUG logging.
  3. Full proxy URL with credentials visible in log output.

Fix

Sanitize proxy URLs before logging by stripping the userinfo component. Log only the proxy hostname.

Details

Finding ID: L-01
Severity: Low


Researcher: Independent Security Researcher -- Mefai Security Team

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions