How to secure your API secret keys from being exposed?

The uncontrolled sprawl of exposed, insecure APIs puts sensitive personal and corporate data at high risk, as shown by the numerous data breaches like the T-Mobile hack ($350M fine in 2022), the Peloton data exposure in 2021, and many others.

However, in some cases, instead of the API itself being insecure, the main reason for the breaches is the leaking of API secret keys and tokens. The 2023 incidents, including the leaked Microsoft Account Consumer Key and the OpenSea third-party vendor breach, perfectly illustrate how secrets can be exploited in attacks (we'll show how below 😬).

The exposure of API secret keys, which authenticate and authorize requests to your API, to outsiders can jeopardize the security and privacy of your application and have a substantial financial impact - think $17M we discovered via one exposed Stripe token.

In this blog post, we dive into the nature of API secret keys, the risks associated with their exposure, and the potential repercussions for your business. More than that, we’ll share essential practices for securing your API secret keys against leaks in front ends - when it's too late. Adopting these strategies will help you protect your applications - which is a continuous journey anyway!

What are secret API keys?

Secret API keys are unique identifiers used by applications to authenticate and authorize access to an API. They serve as a form of authentication, allowing the API to verify the identity of the requesting application. These keys are typically kept confidential and should be securely managed to prevent unauthorized access to sensitive data or actions within the API.

Secret API keys serve as secure tokens to authenticate and authorize requests made to your API. They are deemed secret because their exposure to unauthorized individuals or the public could lead to security breaches. If a malicious entity gains access to your secret API key, they could potentially impersonate you, gaining the ability to access or alter your data, functionality, and resources.

What's the difference with the regular API keys you might ask yourself?

These secret keys are distinct from regular API keys, which primarily serve to identify you to the API. Unlike regular keys that are often transmitted in an unencrypted manner, such as within a URL’s query string or in the headers of a request, secret API keys encrypt your requests. These encrypted requests are then decrypted by the server using the matching secret key, ensuring that the request is indeed originating from you.

Moreover, some APIs opt for a dual-key security mechanism, incorporating a pair of keys like an API key and an App ID, or an API key and a secret. In such scenarios, both keys must be submitted with requests. However, only one is exploited for encryption purposes, while the other assists the server in retrieving the corresponding secret key for decryption. This dual-key approach fortifies security by enabling the server to verify both the requester’s identity and the request’s authenticity.

What causes API key exposure?

API key exposure is a grave security concern that arises from several practices. Identify and avoid the following common causes to protect your API keys:

• Embedding API keys in code: This dangerous practice can unintentionally reveal your API keys to the public, especially if your code is shared on platforms like GitHub. If your code is accessible, so are your API keys, making them vulnerable to misuse by malicious actors.
• Storing API keys in your application's source tree: Another hazardous approach is to store your API keys within your application’s source files. Such a practice makes your API keys vulnerable to being leaked if your source code control system is compromised or if it's publicly accessible.
• Storying API keys in front-end code like Javascript: in our research 35% of the exposed secrets were found in a JavaScript file. Some developers opt to compile all code, including sensitive setup files, into a single extensive JavaScript file for convenience. However, this approach unwittingly exposes crucial secrets to unauthorized access, which is critical for the seamless operation and intercommunication of the application.
• Sending API keys in plain text: A frequent oversight is transmitting API keys without encryption, leaving them exposed to anyone who might intercept your network traffic - this includes hackers, internet service providers, or government entities. To prevent this, always encrypt your API keys and use secure communication protocols like HTTPS when interacting with your API server.
• Using the same API keys for multiple APIs or services: Employing the same API key across different services not only indicates poor design but also magnifies the consequences of a single API key exposure. An exposed key could jeopardize multiple services or APIs. Maintain separate API keys for each service and limit their use to necessary scopes and domains.

Steering clear of these common pitfalls can significantly lower the risk of your API keys becoming exposed, thus ensuring the security, privacy, and efficiency of your application.

Examples of recent data breaches related to leaked API secret keys

If you're not convinced of the dangers posed by leaked API secret keys, here are some examples for you:

• In the case of Microsoft, a cyberattack involved the advanced persistent threat (APT) actor, Storm-0558, who gained access to unclassified email data from various government agencies. This was achieved by discovering a leaked Microsoft Account Consumer Key, which allowed the threat actor to forge access tokens to enterprise email accounts. This incident underscores the importance of secure handling and regular rotation of API keys and access tokens.
• In February 2023, publicly accessible environment files were discovered on Lowe's Market website. These files leaked access tokens to AWS S3 buckets and API keys to third-party services. One of these leaked keys, GrocerKey API, allowed access to partial credit card information, addresses, and top-spending users, as well as the ability to send unsolicited orders, issue refunds, launch ad campaigns, reset passwords, and check in-store and in-app balances. Such exposure could potentially allow threat actors to access sensitive user information and manipulate website functionality.
• In a more recent case, OpenSea, an NFT marketplace, notified their customers of a breach with a third-party vendor. The data breach could have a significant impact since OpenSea is the second-largest non-fungible token (NFT) marketplace by trading volume (36.5%) after Blur (56.8%), which launched only a year ago. This incident highlights the risks associated with third-party integrations and the importance of securing API tokens that provide access to such services. 

How API key exposure can affect your business?

When your API keys are exposed, it could spell trouble for your business in a myriad of ways, both immediately and over time. Here are some of the potential repercussions:

• Data breaches: If your API keys fall into the wrong hands, they can be used to access or alter your sensitive data. This includes customer information, financial details, or proprietary data. The consequences could range from data loss to identity theft, fraud, or even legal issues. Moreover, a data breach can severely harm your reputation and the trust you've built with your customers and partners.
• API abuse: Exposed API keys open the door for attackers to exploit weaknesses in your API or carry out unauthorized actions. This could lead to the creation of fake accounts, data scraping, spamming of users, or even DDoS attacks. Such abuses can compromise your application’s security, disrupt its performance, and lead to potential downtime.
• Financial loss: Attackers can use exposed API keys to generate costs on your behalf. This might involve using up your API resources, going over your allotted quotas, or triggering billing. The fallout can lead to unexpected expenses, wasted resources, or a decrease in profits, impacting your budget and financial planning. Just from simple 3-day research, we have accessed $20M in Stripe tokens; think what dangers experienced hackers might present!
• Regulatory compliance: Using exposed API keys inappropriately can also lead to violations of regulatory obligations. This might mean exposing personal data, breaking contracts, or infringing upon laws, leading to fines, penalties, legal action, or sanctions. Your legal standing and credibility can be seriously affected. Regulatory bodies are only getting stricter and stricter each year - think PCI DSS 4.0.

Being aware of how API key exposure can impact your business underlines the critical importance of protecting your API keys and preventing their unauthorized disclosure.

Best practices to secure your API secret keys

Here are the essential steps to mitigate the risks of secret API keys exposure:

• Centralize API keys and tokens management: Centralizing token management enables secure storage, access, and rotation. Consolidating all tokens in one location allows you to monitor their usage comprehensively, identifying potential vulnerabilities in your system.
• Rotate API keys and tokens Regularly: Regularly rotating tokens mitigates the risk in case of compromise. For instance, AWS Secrets Manager supports the automated rotation of secrets.
• Assign Tokens to Specific Teams or Services: Ensure that only necessary personnel or services have access to each token by assigning them to specific teams or services.
• Create a Revocation Process: Establish a clear revocation process to promptly revoke tokens in the event of a compromise.
• Grant Correct Permissions: Grant only the necessary permissions for each token to minimize potential damage.
• Limit Token Scope: Restrict the access scope of each token within your system.
• Monitor Usage Patterns: Keep a vigilant eye on how tokens are used to identify any unusual activity.
• Educate Your Internal Teams: Ensure that all team members understand the importance of token security and adhere to best practices. Consider enhancing the security experience through gamification or implementing a Security Champion Program, following The Security Champion Program Success Guide.

These measures are crucial for protecting your API tokens and maintaining secure and compliant systems. For more detailed information, you can refer to the resources provided by AWS Secrets Manager and Hashicorp.

Conclusion

In this blog post, we've explored the importance of API secret keys, shedding light on their roles, the risks involved if they're exposed, and the substantial effects this exposure can have on your business.

But more than that, we've offered a selection of best practices to keep your API secret keys in check, minimizing the risk of leaks or theft.

These strategies will help you protect your API secret keys, ensuring both the safety of your applications and the security of your business operations.

Recognizing the crucial role that API secret keys play in the functionality and security of your app is essential.

Don't wait until it’s too late! Begin implementing these security measures as quickly as possible.

💡 Want to learn more?

Check out the following articles and research p:

• Methodology: How we discovered over 18,000 API secret tokens
• Top 6 API security testing tools in 2024: a full review
• How to secure gRPC APIs
• What is API Sprawl? Understanding the growing challenge of 2024 and how to navigate it