## Public GitHub Repository Exposes All Production Railway Microservice Endpoints in Plaintext Configuration A critical security exposure has been identified in a public GitHub repository where all seven production Railway service URLs are hardcoded directly into the Playwright test configuration file. The flaw grants anyone with repository access an exact map of every live microservice endpoint, including authentication, user management, content delivery, watch-party functionality, battle systems, notifications, and admin services. The vulnerable file, `playwright.config.ts` (lines 75–110), contains plaintext baseURL declarations for each service, including auth-production-XXXX.up.railway.app, user-production-XXXX.up.railway.app, content-production-XXXX.up.railway.app, watch-part-production.up.railway.app, battle-production-XXXX.up.railway.app, notification-production-XXXX.up.railway.app, and admin-production-XXXX.up.railway.app. Because the repository is public, search engine indexation and automated scanning tools can easily surface these endpoints without any authentication or privilege escalation required. Security researchers warn that production endpoint exposure of this nature significantly raises risk of targeted enumeration attacks, API abuse, unauthorized data access, and lateral movement across microservices. Hardcoding production URLs in version-controlled, publicly accessible code represents a fundamental failure of secrets management hygiene. The incident underscores persistent gaps in development workflows where test infrastructure inadvertently doubles as an intelligence source for malicious actors. Immediate remediation would require removing the configuration from public history, rotating affected endpoints, and implementing environment variable substitution or a secrets vault for all non-local deployments. --- - **Source**: GitHub Issues - **Sector**: The Vault - **Tags**: hardcoded credentials, production exposure, railway, github security, microservices - **Credibility**: unverified - **Published**: 2026-05-14 11:48:22 - **ID**: 82985 - **URL**: https://whisperx.ai/en/intel/82985