API keys are accidentally being leaked by websites. Here’s how to find them

TruffleHog is a new hacking tool for discovering leaked API keys in JavaScript

A new Chrome browser extension has been released to help bug bounty hunters find keys that have made their way into JavaScript online.

The open source extension, now available on GitHub, is called TruffleHog and is the work of Truffle Security.

The cybersecurity firm’s co-founder, Dylan Ayrey, said in a blog post dated September 19 that often, API Keys for software-as-a-service (SaaS) and cloud providers are making their way into JavaScript, and so the company is “proud” to offer a Chrome extension able to find them.

In a video describing the extension, Mike Ruth, infrastructure security engineer at Bex, said that such keys could be utilized to “access something we shouldn’t”.



Ayrey was able to find one such secret – an AWS key that was buried in the code of the front page of weather.com, a domain that has received over 740 million visitors in the past six months.

Truffle shuffle

The original TruffleHog tool was originally released back in 2017 as a git repository scanner.

However, it proved controversial after it was used by a member of the drone hacking community to discover leaks in drone developer DJI’s enterprise GitHub repository.


Read more about the latest open source hacking tools


The developer allegedly responsible for the accidental leaks was fined and jailed by the Chinese government.

This time around, Ayrey told The Daily Swig that he worked with HackerOne and a few select researchers in an early beta to clean up “low-hanging fruit” ahead of public release, and the extension was prompted by the need to examine cross-origin resource sharing (CORS) security flaws – an area the researcher says “has not been explored much”.

Flip the script

According to Ayrey, many of today’s SaaS applications are built in a way that “encourages frontend applications to contain keys in their JavaScript”.

Many are not accidents, nor are they in “observable text blocks”, the developer says, but are actually in active use by JavaScript on a page when APIs allow CORS.

Some APIs may have permissive CORS settings, encouraging websites to make requests to an API – such as AWS – but as they are credentialed, a common method employed by website owners is to employ JavaScript that contains the credentials necessary.


RECOMMENDED HAProxy vulnerability enables HTTP request smuggling attacks


“Because multiple frontend applications often consume the same backend API, many internal apps unfortunately get scopes with permissive CORS settings,” Ayrey commented.

“Unfortunately, CORS issues can often cascade and lead to multiple points of failure compromising the integrity of the keys on internal apps.”

This may result in a foreign origin able to make requests to internal apps and APIs – and, potentially, become an avenue for key theft. TruffleHog will scan for these keys, which could then potentially be reported to vendors for bug bounties.

In addition, the software is able to detect exposed and related .git repositories and .env files which may contain credentials and scan backends for them, the developer says. A check has also been included for environment variable scripts.

There are limitations to the extension, however. Ayrey says that at the current time, the extension reads out full document trees, parses all of the JavaScript links, and fetches static assets twice for scanning, which can impact performance levels. There is also no caching.

The extension is currently undergoing a security audit by Google for the Chrome Store and so, as of now, can only be side-loaded.


YOU MAY ALSO LIKE Raider: A tool to test authentication in web applications