[New Advisory] Hardcoded API Key, OAuth Credentials, and Defeated PKCE in mytoyota (PyPI) #7309
Description
Package
- Ecosystem: PyPI
- Package name: mytoyota
- Repo: https://github.com/DurgNomis-drol/mytoyota
- Affected versions: all versions through latest
- CWE: CWE-798 (Use of Hard-coded Credentials), CWE-346 (Origin Validation Error)
- Severity: High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N = 7.1)
Summary
mytoyota ships with hardcoded API credentials and a completely non-functional PKCE implementation.
Findings
1. Hardcoded x-api-key (CWE-798)
controller.py line 237: "x-api-key": "tTZipv6liF74PwMfk9Ed68AQ0bISswwf3iHQdqcF" — sent in every request to Toyota Connected Services. Shared by all installations.
2. Hardcoded Basic Auth (CWE-798)
controller.py lines 138/165: "authorization": "basic b25lYXBwOm9uZWFwcA==" which decodes to oneapp:oneapp.
3. PKCE Defeated (CWE-346)
const.py: code_challenge=plain&code_challenge_method=plain
controller.py: "code_verifier": "plain"
The PKCE code verifier is a hardcoded literal string "plain", completely defeating RFC 7636. An attacker who intercepts the authorization code can exchange it because the verifier is a known constant.
4. Token cache without file permissions (CWE-256)
Tokens cached to ~/.cache/toyota_credentials_cache_contains_secrets in plaintext JSON with default umask (typically 0644, world-readable).
5. Real JWT tokens in test fixtures
tests/integration_tests/data/cached_token.json contains real-looking JWT tokens.
Impact
Anyone reading the public source code gets the API key and OAuth credentials to impersonate the Toyota OneApp against Toyota Connected Services (vehicle location, telemetry, trip history, remote commands). The defeated PKCE means intercepted authorization codes are trivially exchangeable.
Affected Code
- x-api-key: https://github.com/DurgNomis-drol/mytoyota/blob/main/mytoyota/controller.py#L237
- Basic Auth: https://github.com/DurgNomis-drol/mytoyota/blob/main/mytoyota/controller.py#L138
- PKCE bypass: https://github.com/DurgNomis-drol/mytoyota/blob/main/mytoyota/const.py#L7
- Token cache: https://github.com/DurgNomis-drol/mytoyota/blob/main/mytoyota/controller.py#L30