Missing User Warnings
Medium
- Confidence
- 95% confidence
- Finding
- The README explicitly instructs users to create and store a 10-year bearer token for a backup server and presents it as a security feature without warning that it is a high-value credential. If exposed through config files, logs, shell history, backups, or repo commits, an attacker could use the token to access and control Duplicati backup operations for a very long period.
