Skip to content

[Security] API Secret Stored as Immutable String in Java #226

New issue
New issue
Open
Open
[Security] API Secret Stored as Immutable String in Java#226
@mefai-dev

Description

@mefai-dev
mefai-dev
opened on Mar 20, 2026

Bug Name

API Secret Stored as Immutable String in Java

Attack Scenario

Java String objects are immutable and cannot be zeroed from memory. The API secret remains in the JVM heap until garbage collection and may appear in heap dumps.

Impact

Low. Requires heap dump access. Relevant for compliance-sensitive environments.

Components

File: clients/common/src/main/java/com/binance/connector/client/common/sign/HmacSignatureGenerator.java line 10. private final String apiSecret.

Reproduction

  1. Take a heap dump of a running Java application using the connector.
  2. Search for API secret string in the heap dump.
  3. Secret is present and readable.

Fix

Use char[] or byte[] that can be explicitly zeroed after use, following Java security best practices.

Details

Finding ID: LOW-02
Severity: Low

Researcher: Independent Security Researcher -- Mefai Security Team

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions