[New Advisory] Hardcoded MyCupra OAuth client_secret, JWT signature bypass, and plaintext token storage in WeConnect-python (PyPI: weconnect) #7310
Description
Package
- Ecosystem: PyPI
- Package name: weconnect
- Repo: https://github.com/tillsteinbach/WeConnect-python
- Affected versions: all versions through 0.60.11
- CWE: CWE-798 (Use of Hard-coded Credentials), CWE-347 (Improper Verification of Cryptographic Signature)
- Severity: High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N = 7.1)
Summary
WeConnect-python ships with a hardcoded OAuth client_secret for the MyCupra app, a hardcoded API key for the WeCharge service, decodes JWTs without signature verification, and stores tokens in world-readable files.
Findings
1. Hardcoded MyCupra OAuth client_secret (CWE-798)
weconnect/auth/my_cupra_session.py lines 65 and 121 contain the MyCupra OAuth client_secret. This is a confidential credential shared by all ~6,800 monthly installations. It enables impersonation of the official MyCupra mobile app against VW Group's identity.vwgroup.io.
2. Hardcoded WeCharge x-api-key (CWE-798)
weconnect/auth/we_charge_session.py lines 64 and 110 contain a hardcoded API key for the VW WeCharge EV charging service.
3. JWT verify_signature=False (CWE-347)
weconnect/auth/openid_session.py line 91 decodes id_token without verifying the cryptographic signature. An attacker can forge token expiry claims.
4. Token store without file permissions (CWE-256)
weconnect/auth/session_manager.py line 85 writes tokens to JSON with no chmod 0600 — default umask makes the file world-readable.
5. Password in SessionUser.str (CWE-532)
weconnect/auth/session_manager.py line 23: str returns username:password, leaking credentials in any logging context.
Impact
The Cupra client_secret allows impersonation of the MyCupra app against VW Group's identity provider. Combined with the client_id (also hardcoded), this completes the credential set for unauthorized OAuth token exchange. Affected brands: Volkswagen, Cupra.
Affected Code
- Cupra client_secret: https://github.com/tillsteinbach/WeConnect-python/blob/main/weconnect/auth/my_cupra_session.py#L65
- WeCharge x-api-key: https://github.com/tillsteinbach/WeConnect-python/blob/main/weconnect/auth/we_charge_session.py#L64
- JWT bypass: https://github.com/tillsteinbach/WeConnect-python/blob/main/weconnect/auth/openid_session.py#L91
- Token store: https://github.com/tillsteinbach/WeConnect-python/blob/main/weconnect/auth/session_manager.py#L85
- Password leak: https://github.com/tillsteinbach/WeConnect-python/blob/main/weconnect/auth/session_manager.py#L23