[VULNERABILITY] Kite generateSession not validating api_secret value in both python and nodejs

Muukund
Is this a known issue where Kite generateSession API ignores api_secret validation while generation new session? I tried both Python and NodeJS API calls and result is same. Meaning, I start my algo intending to use X account. However, I can choose a different account(Y) when redirected to kite login page and then login to that account. After redirection, a token is sent by kite which is used to generate session. Along with session, we also pass api_secret. I confirmed multiple times that I can login to another account and kite does not validate the api_secret.
  • rakeshr
    I confirmed multiple times that I can login to another account and kite does not validate the api_secret.
    No, this shouldn't happen. We do validate checksum(which is SHA-256 of api_key + request_token + api_secret) at backend. You can refer to the complete auth flow here.
    Were you able to generate access_token successfully?
    Can you DM me your API key?
  • sujith
    @Muukund,
    A Kite Connect app is by default enabled for a single client id which means one can't use it with some other client id.
Sign In or Register to comment.