Listen to this Post
Introduction:
API keys are the digital keys to the kingdom, but when they are accidentally committed to public code repositories, they become a goldmine for attackers. During a recent Vulnerability Disclosure Program (VDP) with GovTech Singapore, security researcher ATTER Koffi Kallern uncovered an exposed API key on GitHub that allowed unauthorized file uploads and access to sensitive resources. This article replicates the exact methodologies used to discover, verify, and report such exposures, while equipping both bug hunters and defenders with actionable techniques.
Learning Objectives:
- Understand how to discover, exploit, and report API key exposures using industry-standard tools and GitHub dorking techniques.
- Learn Linux and Windows commands for reconnaissance, API security testing, and secret scanning.
- Master step-by-step disclosure workflows via VDPs like GovTech Singapore and bug bounty platforms.
You Should Know
- Initial Reconnaissance: Uncovering the Exposed API Key on GitHub
The core of this vulnerability discovery is the accidental exposure of credentials, which often happens when developers hardcode API keys directly into source code or configuration files that are then pushed to public repositories. Attackers and bug hunters leverage GitHub’s powerful search engine to find these keys using targeted “dorks.” By using basic search patterns, you can uncover a wide range of exposed secrets, from AWS keys to Stripe tokens. The following step-by-step process simulates how Koffi Kallern and other professionals identify such leaks.
Step-by-step guide explaining what this does and how to use it:
- Navigate to GitHub Search: Go to https://github.com/search.
- Input Targeted Queries: Enter specific search patterns to locate files containing secrets. Common queries include:
– `”api_key”` (basic pattern)
– `”AKIA”` (AWS Access Key ID prefix)
– `”sk-“` (OpenAI API Key prefix)
– `path:/.env “API_KEY”` (search for `.env` files containing the string"API_KEY")
– `extension:js “API_KEY”` (search JavaScript files for hardcoded keys) - Refine Results: After pressing Enter, click on the “Code” tab to see the actual file contents where the keys are exposed.
- Using Command Line (Linux): For a more automated approach, you can use `curl` and `jq` with the GitHub REST API to search for secrets programmatically. This is useful for scanning multiple targets or automating the initial discovery phase.
Linux search using curl and jq
Search for a specific pattern in a target organization's repositories
curl -H "Accept: application/vnd.github.v3+json" \
https://api.github.com/search/code?q=org:target_org+api_key+extension:env \
| jq '.items[] | {repository: .repository.full_name, path: .path, url: .html_url}'
Windows Alternative (PowerShell):
Windows PowerShell equivalent using Invoke-RestMethod
$query = "org:target_org api_key extension:env"
$response = Invoke-RestMethod -Uri "https://api.github.com/search/code?q=$query" -Headers @{ "Accept" = "application/vnd.github.v3+json" }
$response.items | Select-Object -Property @{Name="Repository"; Expression={$_.repository.full_name}}, path, html_url
- Validation and Exploitation: Confirming the API Key is Active
Finding a key is only half the battle; the next critical step is to validate whether the key is still active and understand its permissions. The exposed key discovered during the GovTech VDP allowed for file uploads and access to sensitive resources. This section outlines how to test the validity and scope of a potentially exposed API key, using both manual and automated methods. For defenders, this is also the stage where you would revoke a compromised key and analyze its recent activity.
Step-by-step guide explaining what this does and how to use it:
- Manual Verification: Use `curl` to make a simple API call to a non-destructive endpoint (e.g., a `GET` request to a status endpoint). This confirms if the key is accepted by the server without causing any changes.
Example: Test a Google Maps API key curl "https://maps.googleapis.com/maps/api/geocode/json?address=1600+Amphitheatre+1arkway,+Mountain+View,+CA&key=YOUR_API_KEY_HERE"
2. Check Permissions: If the key is for a cloud provider like AWS, use the AWS CLI to list accessible resources. This step is crucial to determine the blast radius. Note: Never run unknown or potentially destructive commands on a key you do not own.
Using AWS CLI to check what an exposed key can access export AWS_ACCESS_KEY_ID=AKIA... export AWS_SECRET_ACCESS_KEY=... aws sts get-caller-identity aws s3 ls
3. Automated Testing with KeyHacks: Use the `KeyHacks` repository, which provides scripts and techniques to quickly test if various API keys are valid and to determine their associated permissions. After cloning the repository, you can run a script for the specific type of key you’ve found to check its functionality.
Clone KeyHacks repository git clone https://github.com/DanBrown47/KeyHacks.git cd KeyHacks Follow the specific instructions for the key type (e.g., Slack, Stripe, etc.)
3. Mitigation and Prevention: Locking Down Your Secrets
Preventing an API key leak is far more effective than dealing with its aftermath. The key to prevention is to ensure that secrets are never hardcoded in the source code in the first place. This section provides a developer’s guide to implementing preventative measures, using a combination of local guardrails and repository-wide scans. For organizations, this involves enforcing policies and using automated tools to scan for secrets at every stage of the development lifecycle.
Step-by-step guide explaining what this does and how to use it:
- Implement Pre-commit Hooks: Install a local pre-commit hook like KeyGate or `detect-secrets` to scan staged files for secrets before a commit is created. KeyGate is a fast, offline tool that blocks likely API keys, passwords, and tokens, preventing them from ever entering your Git history.
Install KeyGate using pipx pipx install keygate Activate KeyGate in your repository keygate activate That's it! KeyGate now runs automatically before every git commit.
2. Enable Repository Scanning: For public repositories, GitHub automatically enables Secret Scanning. You can also enable Push Protection to block commits containing secrets. For private repositories, this feature is available with GitHub Advanced Security.
GitHub Actions workflow to scan for secrets using Gitleaks
Create a file at .github/workflows/gitleaks.yml
name: gitleaks
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3. Use Environment Variables and Secret Managers: The most fundamental practice is to never hardcode secrets. Use environment variables or a dedicated secret manager like HashiCorp Vault or Azure Key Vault.
Python example using environment variables
import os
API_KEY = os.environ.get("API_KEY")
Now use API_KEY in your code instead of a hardcoded string
// Node.js example using environment variables const API_KEY = process.env.API_KEY;
// Example .gitignore content to prevent .env files from being committed .gitignore .env .env.local .env..local config.json secrets.yml
What Undercode Say:
- The Surface Area for Credential Leakage is Expanding: The shift to cloud-1ative development and collaborative platforms like GitHub has significantly increased the risk of secrets exposure. Every new repository, CI/CD pipeline, or developer endpoint is a potential leak point, and traditional perimeter-based security models fail to address this reality.
- Shift-Left Security is No Longer Optional: The discovery of an exposed API key during a VDP is a direct consequence of failures in the development lifecycle. Proactive measures like pre-commit hooks and automated secret scanning must be integrated into the earliest stages of the software development lifecycle (SDLC) to be effective. These tools act as a necessary safety net for human error.
Analysis: The incident underscores that API key management is not solely a technical issue but a procedural and cultural one. While tools like GitHub Secret Scanning and KeyGate provide powerful technical controls, they must be paired with a strong security culture that prioritizes secret hygiene. The fact that a key granting such powerful permissions (file uploads, access to sensitive resources) was publicly discoverable indicates a systemic failure in implementing even basic security best practices. From an attacker’s perspective, this is a low-effort, high-impact vulnerability. For defenders, it’s a clear signal to audit their repositories, rotate all existing keys, and immediately implement the preventative measures outlined above.
Prediction:
- +1: As GitHub Secret Scanning and similar services evolve to detect more complex patterns and integrate with secret management platforms, the discovery of exposed keys will shift further left, making it harder for developers to accidentally push them.
- -1: The volume of API key exposures on public repositories will continue to rise as more organizations adopt microservices and API-first architectures without maturing their secret management practices, leading to an increase in data breaches and cloud account takeovers.
- -1: Attackers will increasingly automate the process of scanning for, validating, and exploiting exposed keys, reducing the window of opportunity for defenders to discover and revoke them. This will favor sophisticated threat actors who can quickly monetize access before a key is rotated.
- +1: Bug bounty programs and VDPs will play an even more critical role in identifying these exposures, acting as a last line of defense. This will incentivize organizations to invest more heavily in their own internal scanning and monitoring to avoid public disclosure and potential bounties paid to researchers.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Atter Koffi – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
