API keys are accidentally being leaked by websites. Here’s how to find them
The open source extension, now available on GitHub, is called TruffleHog and is the work of Truffle Security.
In a video describing the extension, Mike Ruth, infrastructure security engineer at Bex, said that such keys could be utilized to “access something we shouldn’t”.
Ayrey was able to find one such secret – an AWS key that was buried in the code of the front page of weather.com, a domain that has received over 740 million visitors in the past six months.
The original TruffleHog tool was originally released back in 2017 as a git repository scanner.
However, it proved controversial after it was used by a member of the drone hacking community to discover leaks in drone developer DJI’s enterprise GitHub repository.
The developer allegedly responsible for the accidental leaks was fined and jailed by the Chinese government.
This time around, Ayrey told The Daily Swig that he worked with HackerOne and a few select researchers in an early beta to clean up “low-hanging fruit” ahead of public release, and the extension was prompted by the need to examine cross-origin resource sharing (CORS) security flaws – an area the researcher says “has not been explored much”.
Flip the script
“Because multiple frontend applications often consume the same backend API, many internal apps unfortunately get scopes with permissive CORS settings,” Ayrey commented.
“Unfortunately, CORS issues can often cascade and lead to multiple points of failure compromising the integrity of the keys on internal apps.”
This may result in a foreign origin able to make requests to internal apps and APIs – and, potentially, become an avenue for key theft. TruffleHog will scan for these keys, which could then potentially be reported to vendors for bug bounties.
In addition, the software is able to detect exposed and related .git repositories and .env files which may contain credentials and scan backends for them, the developer says. A check has also been included for environment variable scripts.
The extension is currently undergoing a security audit by Google for the Chrome Store and so, as of now, can only be side-loaded.
YOU MAY ALSO LIKE Raider: A tool to test authentication in web applications