Security: Committed Secrets (Google Play Key, Firebase), Plaintext Rider Passwords, Default Credentials

[lighthousekeeper1212]

Security Audit Report

10 findings (3 CRITICAL, 4 HIGH, 3 MEDIUM) identified during an authorized security audit.

Critical Findings

1. Google Play Service Account Private Key Committed (CRITICAL) — Full RSA private key in CustomerApp/google-service-account.json and RiderApp/google-service-account.json. Rotate immediately.

2. Rider Passwords in Plaintext (CRITICAL) — getRiders GraphQL query returns password field. Admin Dashboard displays in data table and edit forms. Backend stores in plaintext.

3. Hardcoded Default Credentials (CRITICAL) — Admin: admin@enatega.com/enatega123, Customer: john@test.com/123123, Rider: rider/123123.

High Findings

4. GraphQL configuration query exposes Stripe secret_key, PayPal client_secret, email password.
5. Stripe Checkout XSS via template literal interpolation in WebView.
6. Firebase/Google API keys committed across multiple files.
7. Apple Developer account info exposed in eas.json.

Medium: Client-side-only admin auth, auth token logged to console, MongoDB URL changeable via mutation.

Responsible disclosure — no exploit code included.