Skip to content

Security: CWE-295 TLS Certificate Validation Bypass — Hardcoded SSL Bypass with Trakt.tv Credential Exposure #9

Description

@LeoWSY-hashblue

Summary

The library hardcodes both CURLOPT_SSL_VERIFYPEER = false and CURLOPT_SSL_VERIFYHOST = 0 unconditionally in its curl() method. Trakt.tv username + password credentials are POSTed to /auth/login over this unverified TLS connection. No configuration option exists to enable TLS verification.

Additionally, the auth token from login is stored in $this->userToken but never applied to subsequent request headers — authenticated API calls after login are broken.

Details

trakt.phpcurl() method:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);   // 🔴 Unconditional
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);       // 🔴 Unconditional

Credentials POSTed over unverified TLS:

public function setAuth($username, $password) {
    $this->username = $username;
    $this->password = $password;
}

public function login() {
    return json_decode($this->curl(
        'POST',
        '/auth/login',
        array('username' => $this->username, 'password' => $this->password)
    ));
}

Secondary Bug: Auth Token Never Used

getUrl() calls login() and stores the token in $this->userToken, but the curl() method never references it — meaning authenticated API calls after login either fail or rely on Set-Cookie persistence from the login response.

Impact

  • Trakt.tv username + password POSTed over unverified TLS
  • MITM attacker can capture credentials and:
    • Access victim's watch history, collections, ratings
    • Modify watchlists and collections
    • Access connected services and social features
  • No configuration flag to enable SSL verification

Remediation

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);

Severity

CVSS 3.1: 8.1 (HIGH)AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-295: Improper Certificate Validation

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions