We are all used to having to use usernames and passwords for different services and are constantly reading why it’s important to keep our passwords secret and secure, using complex patterns so they are hard to guess. But did you know that an API key is just like a username and password but combined together to form a string of numbers and letters, e.g.
API_KEY= Hi5L13Oqm9S6 to access secured services?
An API key is for connecting an app or project to a service without providing your password, API stands for ‘Application Programming Interface’. The API key will allow some access to a service for example to gather data from a database to be used to display information to your users.
API keys are simple and common practice on the web, when used for a simple use case to display read only data to the user that isn’t classed as secure or personal information then having this key available in code isn’t such a big deal. But there are some services on the internet that issue you with an API key that allows access to not only read data, but it can also be used to write data.
Imagine your developer has been issued an API key that will allow access to show your rental properties on your website, but it can also give access to tenant and staff details for maybe an admin area of the website, that you intend for staff to access.
You might be thinking that all sounds ok, what’s wrong? Well if a malicious user found the API key within the source code for your website, then they could have access to data that should be kept secure. If this data is considered personal data then you could be breaking the law, GDPR and or Data Protection Act 2018. If the data isn’t personal then it could be something that your competitors could use, for example your sales data or suppliers’ details.
Most developers use a version control service for storing their code, this can be useful for rollback changes or recovering lost code or even roll back to an old version of a piece of software within the future. Most of these services have two modes private and public, if an API key has been hard coded then when a developer commits their code to a public repository then the source code can be viewed by everyone.
Even if the develop committed their code to a private repository, depending on what framework or platform they are using, when the code is compiled and on production the API key can still be visible to anyone who knows how to use Dev Tools within a browser.
Luckily there are a few ways you can protect yourself from this:
If a service you are using allows you to customise the access that the API key has, then make sure you give it the least permissions to do the job.
Rate limiting API Keys, this allows you to set a total number of request that a specified API key is allowed to make. This is useful for if you are paying per request for a service, if a malicious user was using your API key sending requests, then having a rate limit will only spend the budget you have set. Imagine if you didn’t have a limit set, you could end up paying a very large bill.
Using ‘Secrets’ in GitHub, this version control service will store your API key in an encrypted section within the system and is passed as an environment variable when required, within a build process for example.
If you would like your website auditing for possible security risks or API keys leaks, please get in touch with us at email@example.com.