[New Advisory] Hardcoded API Key, OAuth Credentials, and Defeated PKCE in mytoyota (PyPI)

## Package

- **Ecosystem:** PyPI
- **Package name:** mytoyota
- **Repo:** https://github.com/DurgNomis-drol/mytoyota
- **Affected versions:** all versions through latest
- **CWE:** CWE-798 (Use of Hard-coded Credentials), CWE-346 (Origin Validation Error)
- **Severity:** High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N = 7.1)

## Summary

mytoyota ships with hardcoded API credentials and a completely non-functional PKCE implementation.

## Findings

### 1. Hardcoded x-api-key (CWE-798)
controller.py line 237: `"x-api-key": "tTZipv6liF74PwMfk9Ed68AQ0bISswwf3iHQdqcF"` — sent in every request to Toyota Connected Services. Shared by all installations.

### 2. Hardcoded Basic Auth (CWE-798)
controller.py lines 138/165: `"authorization": "basic b25lYXBwOm9uZWFwcA=="` which decodes to `oneapp:oneapp`.

### 3. PKCE Defeated (CWE-346)
const.py: `code_challenge=plain&code_challenge_method=plain`
controller.py: `"code_verifier": "plain"`

The PKCE code verifier is a hardcoded literal string "plain", completely defeating RFC 7636. An attacker who intercepts the authorization code can exchange it because the verifier is a known constant.

### 4. Token cache without file permissions (CWE-256)
Tokens cached to `~/.cache/toyota_credentials_cache_contains_secrets` in plaintext JSON with default umask (typically 0644, world-readable).

### 5. Real JWT tokens in test fixtures
tests/integration_tests/data/cached_token.json contains real-looking JWT tokens.

## Impact

Anyone reading the public source code gets the API key and OAuth credentials to impersonate the Toyota OneApp against Toyota Connected Services (vehicle location, telemetry, trip history, remote commands). The defeated PKCE means intercepted authorization codes are trivially exchangeable.

## Affected Code

- x-api-key: https://github.com/DurgNomis-drol/mytoyota/blob/main/mytoyota/controller.py#L237
- Basic Auth: https://github.com/DurgNomis-drol/mytoyota/blob/main/mytoyota/controller.py#L138
- PKCE bypass: https://github.com/DurgNomis-drol/mytoyota/blob/main/mytoyota/const.py#L7
- Token cache: https://github.com/DurgNomis-drol/mytoyota/blob/main/mytoyota/controller.py#L30


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[New Advisory] Hardcoded API Key, OAuth Credentials, and Defeated PKCE in mytoyota (PyPI) #7309

Package

Summary

Findings

1. Hardcoded x-api-key (CWE-798)

2. Hardcoded Basic Auth (CWE-798)

3. PKCE Defeated (CWE-346)

4. Token cache without file permissions (CWE-256)

5. Real JWT tokens in test fixtures

Impact

Affected Code

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

[New Advisory] Hardcoded API Key, OAuth Credentials, and Defeated PKCE in mytoyota (PyPI) #7309

Description

Package

Summary

Findings

1. Hardcoded x-api-key (CWE-798)

2. Hardcoded Basic Auth (CWE-798)

3. PKCE Defeated (CWE-346)

4. Token cache without file permissions (CWE-256)

5. Real JWT tokens in test fixtures

Impact

Affected Code

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions