An API Key is a way for an API to identify the source of an incoming request and authenticate that program or user against known permissions for accessing non-private user data. Simple API Keys do not offer enough security on their own to access private user data, but they do provide the opportunity for tracking and controlling how an API is being used.
Yet despite these secure intentions, this tutorial by Moshe Shaham on alephz.com explains how easy it can be to find secret API keys on GitHub. According to the author, thousands of API keys covering a range of services are publically exposed on the platform and at risk of misuse through hacking.
The simplest method for locating API keys is leveraging GitHub’s built-in search function by looking for common strings found around the API string itself. This type of vulnerability is largely down to developers who don’t change the example name of the variable that holds the secret key. The author then discusses vulnerabilities in AWS keys, as well as those of MailChimp using this method.
Another method is to crawl GitHub and search for patterns using regular expressions, such as the first two characters common to AWS keys, to locate relevant key strings. The author finishes the piece with some advice for those who design and implement APIs on how to properly protect secret keys from becoming public knowledge.