Summary
The library hardcodes both CURLOPT_SSL_VERIFYPEER = false and CURLOPT_SSL_VERIFYHOST = 0 unconditionally in its curl() method. Trakt.tv username + password credentials are POSTed to /auth/login over this unverified TLS connection. No configuration option exists to enable TLS verification.
Additionally, the auth token from login is stored in $this->userToken but never applied to subsequent request headers — authenticated API calls after login are broken.
Details
trakt.php — curl() method:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // 🔴 Unconditional
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); // 🔴 Unconditional
Credentials POSTed over unverified TLS:
public function setAuth($username, $password) {
$this->username = $username;
$this->password = $password;
}
public function login() {
return json_decode($this->curl(
'POST',
'/auth/login',
array('username' => $this->username, 'password' => $this->password)
));
}
Secondary Bug: Auth Token Never Used
getUrl() calls login() and stores the token in $this->userToken, but the curl() method never references it — meaning authenticated API calls after login either fail or rely on Set-Cookie persistence from the login response.
Impact
- Trakt.tv username + password POSTed over unverified TLS
- MITM attacker can capture credentials and:
- Access victim's watch history, collections, ratings
- Modify watchlists and collections
- Access connected services and social features
- No configuration flag to enable SSL verification
Remediation
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
Severity
CVSS 3.1: 8.1 (HIGH) — AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-295: Improper Certificate Validation
Summary
The library hardcodes both
CURLOPT_SSL_VERIFYPEER = falseandCURLOPT_SSL_VERIFYHOST = 0unconditionally in itscurl()method. Trakt.tv username + password credentials are POSTed to/auth/loginover this unverified TLS connection. No configuration option exists to enable TLS verification.Additionally, the auth token from login is stored in
$this->userTokenbut never applied to subsequent request headers — authenticated API calls after login are broken.Details
trakt.php—curl()method:Credentials POSTed over unverified TLS:
Secondary Bug: Auth Token Never Used
getUrl()callslogin()and stores the token in$this->userToken, but thecurl()method never references it — meaning authenticated API calls after login either fail or rely onSet-Cookiepersistence from the login response.Impact
Remediation
Severity
CVSS 3.1: 8.1 (HIGH) —
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HCWE-295: Improper Certificate Validation