Skip to content

[Security] WebSocket Payload Logging Leaks Signed Requests Including API Key and Signature #509

New issue
New issue
Open
Open
[Security] WebSocket Payload Logging Leaks Signed Requests Including API Key and Signature#509
@mefai-dev

Description

@mefai-dev
mefai-dev
opened on Mar 20, 2026

Bug Name

WebSocket Payload Logging Leaks Signed Requests Including API Key and Signature

Attack Scenario

When sending WebSocket messages, the full payload (including apiKey, signature, and timestamp) is logged at INFO level via logging.info(). For signed WebSocket API requests, payload contains params.apiKey, params.signature, and params.timestamp.

Impact

Log aggregation systems, crash dumps, or shared log files would contain API keys and valid signatures. If an attacker obtains logs within the signature timestamp validity window, they could replay requests.

Components

File: common/src/binance_common/websocket.py (line 334). Payload set in utils.py:676 (apiKey) and utils.py:715 (signature).

Reproduction

  1. Enable INFO-level logging (default).
  2. Make any signed WebSocket API call.
  3. Observe full apiKey and signature in log output.

Fix

Sanitize the payload before logging by redacting apiKey and signature fields. Alternatively, move this log statement to DEBUG level.

Details

Finding ID: SEC-02
Severity: Medium

Researcher: Independent Security Researcher -- Mefai Security Team

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions