[New Advisory] Hardcoded MyCupra OAuth client_secret, JWT signature bypass, and plaintext token storage in WeConnect-python (PyPI: weconnect)

## Package

- **Ecosystem:** PyPI
- **Package name:** weconnect
- **Repo:** https://github.com/tillsteinbach/WeConnect-python
- **Affected versions:** all versions through 0.60.11
- **CWE:** CWE-798 (Use of Hard-coded Credentials), CWE-347 (Improper Verification of Cryptographic Signature)
- **Severity:** High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N = 7.1)

## Summary

WeConnect-python ships with a hardcoded OAuth client_secret for the MyCupra app, a hardcoded API key for the WeCharge service, decodes JWTs without signature verification, and stores tokens in world-readable files.

## Findings

### 1. Hardcoded MyCupra OAuth client_secret (CWE-798)
weconnect/auth/my_cupra_session.py lines 65 and 121 contain the MyCupra OAuth client_secret. This is a confidential credential shared by all ~6,800 monthly installations. It enables impersonation of the official MyCupra mobile app against VW Group's identity.vwgroup.io.

### 2. Hardcoded WeCharge x-api-key (CWE-798)
weconnect/auth/we_charge_session.py lines 64 and 110 contain a hardcoded API key for the VW WeCharge EV charging service.

### 3. JWT verify_signature=False (CWE-347)
weconnect/auth/openid_session.py line 91 decodes id_token without verifying the cryptographic signature. An attacker can forge token expiry claims.

### 4. Token store without file permissions (CWE-256)
weconnect/auth/session_manager.py line 85 writes tokens to JSON with no chmod 0600 — default umask makes the file world-readable.

### 5. Password in SessionUser.__str__ (CWE-532)
weconnect/auth/session_manager.py line 23: __str__ returns username:password, leaking credentials in any logging context.

## Impact

The Cupra client_secret allows impersonation of the MyCupra app against VW Group's identity provider. Combined with the client_id (also hardcoded), this completes the credential set for unauthorized OAuth token exchange. Affected brands: Volkswagen, Cupra.

## Affected Code

- Cupra client_secret: https://github.com/tillsteinbach/WeConnect-python/blob/main/weconnect/auth/my_cupra_session.py#L65
- WeCharge x-api-key: https://github.com/tillsteinbach/WeConnect-python/blob/main/weconnect/auth/we_charge_session.py#L64
- JWT bypass: https://github.com/tillsteinbach/WeConnect-python/blob/main/weconnect/auth/openid_session.py#L91
- Token store: https://github.com/tillsteinbach/WeConnect-python/blob/main/weconnect/auth/session_manager.py#L85
- Password leak: https://github.com/tillsteinbach/WeConnect-python/blob/main/weconnect/auth/session_manager.py#L23


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[New Advisory] Hardcoded MyCupra OAuth client_secret, JWT signature bypass, and plaintext token storage in WeConnect-python (PyPI: weconnect) #7310

Package

Summary

Findings

1. Hardcoded MyCupra OAuth client_secret (CWE-798)

2. Hardcoded WeCharge x-api-key (CWE-798)

3. JWT verify_signature=False (CWE-347)

4. Token store without file permissions (CWE-256)

5. Password in SessionUser.str (CWE-532)

Impact

Affected Code

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

[New Advisory] Hardcoded MyCupra OAuth client_secret, JWT signature bypass, and plaintext token storage in WeConnect-python (PyPI: weconnect) #7310

Description

Package

Summary

Findings

1. Hardcoded MyCupra OAuth client_secret (CWE-798)

2. Hardcoded WeCharge x-api-key (CWE-798)

3. JWT verify_signature=False (CWE-347)

4. Token store without file permissions (CWE-256)

5. Password in SessionUser.str (CWE-532)

Impact

Affected Code

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions