Charlie Osborne September 24, 2021 at 14:45 UTC
Updated: September 24, 2021 at 14:57 UTC
API keys are accidentally leaked by websites. Here’s how to find them
The open source extension, now available on GitHub, is called TruffleHog and is the work of Truffle Security.
In a video describing the extension, Mike Ruth, infrastructure security engineer at Bex, said such keys could be used to “access something we shouldn’t”.
Ayrey was able to find one of those secrets – an AWS key that was buried in the code on the front page of weather.com, a domain that has received over 740 million visitors in the past six months.
Mix of truffles
The original TruffleHog tool was originally released in 2017 as a git repository scanner.
However, he proved controversial after being used by a member of the drone hacking community to discover leaks in the corporate GitHub repository of drone developer DJI.
Learn about the latest open source hacking tools
The developer allegedly responsible for the accidental leaks has been fined and jailed by the Chinese government.
This time Ayrey said The daily sip that he worked with HackerOne and a few selected researchers in an early beta to clean up the “fruits at hand” ahead of public release, and the extension was motivated by the need to look into sharing security vulnerabilities cross-origin resources (CORS) – an area the researcher says “has not been explored much”.
Flip the script
ADVISED HAProxy vulnerability allows HTTP request smuggling attacks
“Because multiple front-end applications often consume the same main API, unfortunately many internal applications get scopes with permissive CORS settings,” Ayrey commented.
“Unfortunately, CORS problems can often cascade and lead to multiple points of failure compromising the integrity of keys on internal applications. “
This can result in a foreign origin capable of making requests to internal applications and APIs – and, potentially, becoming an avenue for key theft. TruffleHog will search for these keys, which could then be reported to vendors for bug bounties.
Additionally, the software is capable of detecting .git repositories and exposed and associated .env files that may contain credentials and scan backends for them, the developer said. A check has also been included for the environment variable scripts.
The extension is currently undergoing a security audit by Google for the Chrome Store and can therefore only be loaded laterally.
YOU MAY ALSO LIKE Raider: A tool for testing authentication in web applications