Finding API Keys on Github

Don’t leave sensitive things on Github thinking that no one is going to read your code

The other day I was developing a feature for LeetLinked, my Google/Bing scraping tool for Employee LinkedIn profiles and I found myself needing API access to HaveIBeenPwned.

Unfortunately, it was likely heavily abused and locked behind a paywall, which makes total sense. No shade to Troy Hunt for doing so. I was ready to pay the $4 a month for API access. My first instinct was “Oh, I’ll just stick it on my credit card and pay it later” as I’m sure most of you do. It turns out that didn’t work so well. My card vendor wasn’t approved. Alright, no proble, let me try my debit card instead. Declined.

What now? I want to integrate HaveIBeenPwned into my tool to more effectively search for valid email addresses and employees that were involved in Databreaches. What am I to do?

Never. Ever. Leave your API keys on Github. Someone like me will find them.

So after both of my payment methods failed, I took a look at the documentation and noticed that the API key was verified by a header hibp-api-key.

Have I Been Pwned API Documentation

I knew exactly what to look for – scripts that referenced hibp-api-key on Github.

hibp-api-key on Github

One Hundred and Seventy-Five results with hibp-api-key mentioned. Oh boy, are there some API Keys here.

Information redacted to protect the identity of the user. All users have been contacted with recomendations to remove the API key from their code.

And the API Key is valid.

And another!

In total I found approximately 6 valid API keys, thats a huge yikes. There were a few other API keys that I had found like MailHunter, Virus Total, etc. while searching for HIBP-API-Keys.

In conclusion: Don’t leave your API keys on Github. It’s a bad idea. People will use them. You may think that your code isn’t special and that no one is going to see it, unfortunately, you’re wrong. I will see it. Always ask yourself before uploading something - Is this information sensitive? Can I easily get it removed? If the answer to either of those is yes, don’t post it. You will regret it!

*Posts*

Deception-in-Depth---Overview-of-Kerberos,-Service-Accounts-&-Attacks---Part-1.5.md

Deception-in-Depth---Hiding-AD-Users-and-Groups---Part-1.md

Backdooring-KeePass-for-Fun-and-Profit.md

Deploying-BloodHound-Community-Edition-for-Pentesters.md

Enriching-BloodHound-Data.md

Programming-with-Impacket---Working-with-SMB.md

Source-Zero-Con-Writeup---Biscuits.md

Source-Zero-Con-Writeup---Compromised.md

Recovering-Your-Straight-Talk-Account-Number.md

Deception-in-Depth---Building-Deceptions-from-Breaches.md

Deceiving-Bloodhound---Remote-Registry-Session-Spoofing.md

Analyzing-a-Brute-Ratel-Badger.md

Cobalt-Strike-Beacon-Analysis-from-a-Live-C2.md

Source-Zero-Con-CTF---STL-Killer.md

Source-Zero-Con-CTF---Baby-XBee-1-2.md

Building-an-Active-Directory-Lab---Part-2.md

Deception-in-Depth---Spoofing-SMB-User-Sessions-Improved.md

Staged-vs-Stageless-Payloads.md

Building-an-Active-Directory-Lab---Part-1.md

Email-Spoofing---A-Full-Guide.md

OverWolfHelperx64---DLL-Injection-LOLBAS.md

Deception-in-Depth---LSASS-Injection.md

Deception-in-Depth---Spoofing-Logged-in-Users.md

How-Secure-is-Kali-Out-of-the-Box?.md

Remote-NTLM-Relaying-via-Meterpreter.md

Certification-Talk.md

Google-Is-Your-Best-Friend.md

Decrypting-TACACS+-Traffic-in-Wireshark.md

CVE-2020-12447-LFI-Within-Onkyo-TX-NR585-Web-Interface.md

CVE-2020-11799---Z-Cron-Lack-of-Access-Control.md