

API Keys on GitHub - fabulist

I wanted to add something a little more dangerous to this recent meme. A lot of the time, people bake credentials into apps and then accidentally commit them. Especially database credentials and API keys.<p>A naive approach for hunting API keys gets a of false positives; things like api_key = &quot;&lt;VALID KEY&gt;&quot;. But if we put some characters you&#x27;d be likely to find in an API key, we get a much better ratio.<p>https:&#x2F;&#x2F;github.com&#x2F;search?q=api_key+%3D+%22z9&amp;type=Code&amp;ref=searchresults<p>Repeating the search with different values can yield a lot of keys.<p>Another method is to go for less keys, but more valuable ones. This has an awful signal&#x2F;noise ratio, but the keys you find are pure gold to a bad guy.<p>https:&#x2F;&#x2F;github.com&#x2F;search?q=amazon+api+key+%3D+%22g&amp;type=Code&amp;ref=searchresults<p>I expect most of these keys are redacted by now, but this has lead to real compromise in the past. This story was on HN a while back:<p>http:&#x2F;&#x2F;vertis.io&#x2F;2013&#x2F;12&#x2F;16&#x2F;unauthorised-litecoin-mining.html
======
techaddict009
Seems like you found a gold mine for hackers!

~~~
fabulist
They've been abusing it for a long time, and GitHub has taken steps to
remediation the situation.

There are also other avenues, such as PasteBin. I've seen a bunch of people
post, say, router configurations to PasteBin to share them with tech support,
including password encrypted with Cisco's broken password 7.

RaiderSec built a bot that find them automatically: twitter.com/dumpmon

