The uncontrolled sprawl of exposed, insecure APIs puts sensitive personal and corporate data at high risk, as shown by the numerous data breaches like the T-Mobile hack ($350M fine in 2022), the Peloton data exposure in 2021, and many others.
However, in some cases, instead of the API itself being insecure, the main reason for the breaches is the leaking of API secret keys and tokens. The 2023 incidents, including the leaked Microsoft Account Consumer Key and the OpenSea third-party vendor breach, perfectly illustrate how secrets can be exploited in attacks.
The exposure of API secret keys, which authenticate and authorize requests to your API, to outsiders can jeopardize the security and privacy of your application and have a substantial financial impact - think $17M we discovered via one exposed Stripe token. For more information, check out our report "The API Secret Sprawl" and learn how we discovered over 18,000 API secret tokens and $20M in Stripe tokens.
In this blog post, I dive into the nature of API secret keys and the risks associated with their exposure. More than that, I’ll share essential practices for securing your API secret keys against leaks in front ends - when it's too late. Adopting these strategies will help you protect your applications - which is a continuous journey anyway!
What are secret API keys?
Secret API keys are unique identifiers used by applications to authenticate and authorize access to an API. They serve as a form of authentication, allowing the API to verify the identity of the requesting application. These keys are typically kept confidential and should be securely managed to prevent unauthorized access to sensitive data or actions within the API.
Secret API keys serve as secure tokens to authenticate and authorize requests made to your API. They are deemed secret because their exposure to unauthorized individuals or the public could lead to security breaches. If a malicious entity gains access to your secret API key, they could potentially impersonate you, gaining the ability to access or alter your data, functionality, and resources.
What's the difference with the regular API keys you might ask yourself?
These secret keys are distinct from regular API keys, which primarily serve to identify you to the API. Unlike regular keys that are often transmitted in an unencrypted manner, such as within a URL’s query string or in the headers of a request, secret API keys encrypt your requests. These encrypted requests are then decrypted by the server using the matching secret key, ensuring that the request is indeed originating from you.
Moreover, some APIs opt for a dual-key security mechanism, incorporating a pair of keys like an API key and an App ID, or an API key and a secret. In such scenarios, both keys must be submitted with requests. However, only one is exploited for encryption purposes, while the other assists the server in retrieving the corresponding secret key for decryption. This dual-key approach fortifies security by enabling the server to verify both the requester’s identity and the request’s authenticity.
What causes API key exposure?
API key exposure is a grave security concern that arises from several practices. Identify and avoid the following common causes to protect your API keys:
- Embedding API keys in code (please, don't 🙏): This dangerous practice can unintentionally reveal your API keys to the public, especially if your code is shared on platforms like GitHub. If your code is accessible, so are your API keys, making them vulnerable to misuse by malicious actors.
- Storing API keys in your application's source tree: Another hazardous approach is to store your API keys within your application’s source files. Such a practice makes your API keys vulnerable to being leaked if your source code control system is compromised or if it's publicly accessible.
- Storying API keys in front-end code like Javascript: in our research 35% of the exposed secrets were found in a JavaScript file. Some developers opt to compile all code, including sensitive setup files, into a single extensive JavaScript file for convenience. However, this approach unwittingly exposes crucial secrets to unauthorized access, which is critical for the seamless operation and intercommunication of the application.
- Sending API keys in plain text: A frequent oversight is transmitting API keys without encryption, leaving them exposed to anyone who might intercept your network traffic - this includes hackers, internet service providers, or government entities. To prevent this, always encrypt your API keys and use secure communication protocols like HTTPS when interacting with your API server.
- Using the same API keys for multiple APIs or services: Employing the same API key across different services not only indicates poor design but also magnifies the consequences of a single API key exposure. An exposed key could jeopardize multiple services or APIs. Maintain separate API keys for each service and limit their use to necessary scopes and domains.
Steering clear of these common pitfalls can significantly lower the risk of your API keys becoming exposed, thus ensuring the security, privacy, and efficiency of your application.
Best practices to secure your API secret keys
Here are the essential steps to mitigate the risks of secret API keys exposure:
- Centralize API keys and tokens management: Centralizing token management enables secure storage, access, and rotation. Consolidating all tokens in one location allows you to monitor their usage comprehensively, identifying potential vulnerabilities in your system.
- Rotate API keys and tokens Regularly: Regularly rotating tokens mitigates the risk in case of compromise. For instance, AWS Secrets Manager supports the automated rotation of secrets.
- Assign Tokens to Specific Teams or Services: Ensure that only necessary personnel or services have access to each token by assigning them to specific teams or services.
- Create a Revocation Process: Establish a clear revocation process to promptly revoke tokens in the event of a compromise.
- Grant Correct Permissions: Grant only the necessary permissions for each token to minimize potential damage.
- Limit Token Scope: Restrict the access scope of each token within your system.
- Monitor Usage Patterns: Keep a vigilant eye on how tokens are used to identify any unusual activity.
- Educate Your Internal Teams: Ensure that all team members understand the importance of token security and adhere to best practices. Consider enhancing the security experience through gamification or implementing a Security Champion Program, following The Security Champion Program Success Guide.
These measures are crucial for protecting your API tokens and maintaining secure and compliant systems. For more detailed information, you can refer to the resources provided by AWS Secrets Manager and Hashicorp.
Don't wait until it’s too late! Begin implementing these security measures as quickly as possible.
Top comments (0)