| Title | INDEX Conferences & Exhibitions Organization L.L.C YWF | BPOF | APGCS 1.0.2 Authorization Credential Exposure |
|---|
| Description | In the Android application ae.index.apgcs version 1.0.2, hardcoded credentials (ACCESS_KEY and HASH_KEY) were discovered in the source file com/index/event/BuildConfig.java. An attacker can extract these keys through reverse engineering and directly call the authenticate_app API to obtain sensitive backend information, including but not limited to FCM server keys, SMTP passwords, Infobip API keys, Elastic email keys, Google reCAPTCHA secrets, and other internal configuration details. |
|---|
| Source | ⚠️ https://www.notion.so/Authorization-Credentials-in-ae-index-apgcs-Lead-to-Exposure-of-Backend-Secrets-3172de3f97fb8040bc30c5519a742251?source=copy_link |
|---|
| User | fxizenta (UID 28116) |
|---|
| Submission | 03/03/2026 08:39 (3 months ago) |
|---|
| Moderation | 03/15/2026 17:25 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 351143 [INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App up to 1.0.2 on Android ae.index.apgcs BuildConfig.java ACCESS_KEY/HASH_KEY hard-coded credentials] |
|---|
| Points | 17 |
|---|