API secret should be masked(Asterisks) on the application screen.

[tripatpu]

trafficstars

Vulnerability details: API secret for vendor do not have functionality to mask the api secret on screen. An attacker could easily capture this api secret through shoulder surfing attack.

It is always advisable to mask api secret on screen not to disclose the same on screen.

Secret masking allows you to keep sensitive data private. This sensitive data can include information like API keys, authentication tokens, passwords, or other types of critical information. Secret masking obscures the values stored for some data fields, preventing the critical values from being displayed.

All the secure sites AWS , GCP , Amazon all follow same practice to mask api key on screen. As it is on https but as defense in depth strategy that should be masked on screen so any attacker won't able to shoulder surf the data.

At least masking such as ******** utilized if any one to see the secret then only toggle visibility option needs to be there.API secret is like password so it needs to be masked.

So hence this vulnerability is applicable however severity might be low.

API secret masking needs to be implemented as attached screenshot.

[BountyOverflow]

IMO its P5 Unless there is direct threat such as non TLS use etc

[TimmyBugcrowd]

I agree with @BountyOverflow. The security impact is very-low since it requires to have physical access to the victim's device or the secret should be exposed in an HTTP endpoint. Based on these it is not necessary to add a specific VRT entry for this.