API Keys on GitHub

7 points

12 years ago

I wanted to add something a little more dangerous to this recent meme. A lot of the time, people bake credentials into apps and then accidentally commit them. Especially database credentials and API keys.

A naive approach for hunting API keys gets a of false positives; things like api_key = "<VALID KEY>". But if we put some characters you'd be likely to find in an API key, we get a much better ratio.

https://github.com/search?q=api_key+%3D+%22z9&type=Code&ref=searchresults

Repeating the search with different values can yield a lot of keys.

Another method is to go for less keys, but more valuable ones. This has an awful signal/noise ratio, but the keys you find are pure gold to a bad guy.

https://github.com/search?q=amazon+api+key+%3D+%22g&type=Code&ref=searchresults

I expect most of these keys are redacted by now, but this has lead to real compromise in the past. This story was on HN a while back:

http://vertis.io/2013/12/16/unauthorised-litecoin-mining.html

2 comments