API Keys Exposed – Millions Of Transaction Details At Risk, Experts Weigh In

By   ISBuzz Team
Writer , Information Security Buzz | Sep 21, 2021 03:05 am PST


CloudSEK’s security search engine group, BeVigil is reporting Widespread Exposure of API Keys Imperils the Mobile App Ecosystem. They discuss the dangers of apps with API keys that are, pointing out that “hardcoded API keys are akin to locking your house but leaving the key in an envelope titled “do not open.”

In an investigation of 13,000 apps recently uploaded to BeVigil for security review, 250 of them used the Razorpay API to enable financial transactions. Ten of these apps (~5%) were found to be exposing their payment integration key ID and key secret. If this finding holds true across the approx. 8 million apps currently using Razorpay, then the number of apps exposing their API keys could be as high as 400,000.  The white paper points out “This discovery comes on the heels of a similar finding that 100 million users’ data is impacted because 0.5% of mobile apps expose their internal AWS keys. This highlights a pattern of systemic mishandling of API keys among app developers.“ 

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
George McGregor
George McGregor , VP of Marketing
InfoSec Expert
September 21, 2021 11:09 am

<p>APIs are great ways of using specialized third-party services while focusing on core business strategies. They are also great ways of gaining illicit entrance into these services by attackers. APIs typically require a key provided by the application that permits the use of defined levels of services. It turns out that many applications hard code these keys into their source code. Any attacker who gains control over the application can also make use of the third-party service.</p>
<p>It goes without saying that API keys shouldn’t be embedded into the application itself. That’s like hard-coding the database system administrator password into a web application. But this also highlights the fact that third-party services have to monitor the use of their services to make sure the use is legitimate. Services that fail to do so are risking attack by their customers’ applications themselves.</p>

Last edited 1 year ago by George McGregor

Recent Posts

Would love your thoughts, please comment.x