API Keys on GitHub

7 points by fabulist ↗ HN
I wanted to add something a little more dangerous to this recent meme. A lot of the time, people bake credentials into apps and then accidentally commit them. Especially database credentials and API keys.

A naive approach for hunting API keys gets a of false positives; things like api_key = "<VALID KEY>". But if we put some characters you'd be likely to find in an API key, we get a much better ratio.

https://github.com/search?q=api_key+%3D+%22z9&type=Code&ref=searchresults

Repeating the search with different values can yield a lot of keys.

Another method is to go for less keys, but more valuable ones. This has an awful signal/noise ratio, but the keys you find are pure gold to a bad guy.

https://github.com/search?q=amazon+api+key+%3D+%22g&type=Code&ref=searchresults

I expect most of these keys are redacted by now, but this has lead to real compromise in the past. This story was on HN a while back:

http://vertis.io/2013/12/16/unauthorised-litecoin-mining.html

2 comments

[ 4.4 ms ] story [ 10.3 ms ] thread
Seems like you found a gold mine for hackers!
They've been abusing it for a long time, and GitHub has taken steps to remediation the situation.

There are also other avenues, such as PasteBin. I've seen a bunch of people post, say, router configurations to PasteBin to share them with tech support, including password encrypted with Cisco's broken password 7.

RaiderSec built a bot that find them automatically: twitter.com/dumpmon