SMTP Password

ID

smtp_password

Severity

high

Vendor

-

Family

Generic secret

Description

The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission.

This detector looks for SMTP credentials in the form of a password, assigned to configuration variables.

Security

Any hardcoded SMTP password allows running unintended actions in the email account, like fraudulent email sent on behalf of a user.

Examples

spring.mail.smtp.username: bob
# The mail server password is leaked
spring.mail.smtp.password: Mdsf324n1523

Mitigation / Fix

  1. Follow your policy for handling leaked credentials, which typically require revoking the credentials in the target system(s).

  2. Replace the password in the source code or committed configuration file. Replace hard-coded secrets with a more secure alternative, such as one of the options documented in How to Prevent Hard-Coded Secrets..

  3. (Optional) If under a git repository, you may remove unwanted secrets from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

  4. Check SMTP access logs for suspicious messages in the target email system using the SMTP service account during the exposure window.

Reference

https://tools.ietf.org/html/rfc5321