Posted in
- Security
API keys are a ubiquitous technology across the modern web. Considered one of the core technologies of API communication, keys help drive the mechanisms underpinning some of the most widely used platforms and systems across the internet. Despite this ubiquity, effective use of API keys depends heavily on proper implementation and secure management. The potential repercussions of API key misuse can be extremely damaging in the short and long term.
Below, we’re going to look at proper API key use and security. We’ll look at some examples of poor API key security and extract some lessons that can be learned from these issues.
The Importance of Securing API Keys
Before diving into specific examples of API key security failure, we should discuss why this topic is an important, growing concern.
The reality is that API key exposure has rapidly grown in recent years. In 2019, researchers estimated 100,000 GitHub repositories had exposed API tokens and cryptographic keys. Exposed keys can lead to significant data exfiltration, which can be incredibly damaging to the organization’s economic stability and the user’s trust in the product.
Preventing API key leaks is relatively easy, which is why this topic can be so frustrating. Simply adopting strong key management systems and secure data storage can improve the security posture, and additional investments in employee education can pay huge long-term dividends.
API Key Leak Consequences
API key leaks carry some significant consequences, both direct and indirect. Generally, these can be separated into a handful of categories: financial, regulatory, and reputational.
Financial Consequences
API key leaks can lead to costly consequences if keys are used for metering and quota governance. These systems rely on accuracy, and accuracy relies on veracity. When your keys no longer represent the true situation and use case for a client, those keys are no longer useful for business logic and planning and can become dangerous in their own right.
There is also the very real threat of resource expenditure. Many API key-based attacks might focus on trying to DDoS systems or make for costly server run-ups, especially when calling exponential functions or complex calls that are without purpose. These attacks may focus entirely on creating as much direct cost as possible for the software provider.
In many cases, insecure API keys could lead to the exposure of partner data. If you have SLAs or contracts that rely on securing this data, you could quickly run into legal issues that carry significant financial burdens. These attacks can also trigger a forensic investigation, remuneration for affected clients, mitigation costs, and more that could significantly run up costs.
Also read: The Difference Between API Keys and API Tokens
Regulatory Consequences
Ignoring the direct monetary implications, there are also significant regulatory issues with API key exposure. Policies and regulations such as GDPR or CCPA make the act of exposing data due to negligence an extremely costly proposal, with fines in the range of 4% of annual turnover — and that’s turnover, not profit.
There are also criminal penalties for exposing certain kinds of data, such as healthcare data, through negligence. In some cases, penalties can dissolve a business or create personal responsibility outside corporate liability protection.
Fundamentally, regulatory consequences could be existential — they could mean breaking your business and collapsing your financial well-being.
Reputational Consequences
Finally, there are potential reputational consequences. Leaked data is always a reputational hit to a business, but how that data was leaked can change the average user’s response. When data is leaked because a third-party partner didn’t do their due diligence, the anger often shifts to that partner.
If a leakage happens, however, because you exposed an API key, that’s different. That’s gross negligence and could lead to a mass migration of users. Some exposures have cost the reputation of departments and the careers of the people in those departments. Some data exposures have even spelled the end of entire companies.
High-Profile Case Studies
Unfortunately, some high-profile exposures have occurred due to issues around API keys in recent years. Let’s take a quick look at just a sample of them.
Kronos
In November of 2023, fintech firm Kronos revealed that it had suffered a major data breach stemming from the loss of several API keys. After the keys were lost, they were abused, resulting in what the company estimates as a $25 million USD loss.
Attack Vector
Due to the fact that the Kronos breach is still being investigated, details are still forthcoming. While the company noted that the breach started with “unauthorized access to some of [their] API keys”, the access modality has yet to be publicly released. Nonetheless, because the API keys in question were part of the payment and wallet management APIs internal to the Kronos ecosystem, their abuse led to the exfiltration of Ethereum from the wallets of many users.
Long-Term Impact
The most immediate impact of a breach of this nature is the financial and regulatory concerns. While digital currency doesn’t generally have the same financial regulatory protections afforded by the FDIC as a standard bank account, the business in question still depends on held currency values to secure ongoing business functions. Accordingly, a considerable loss of this kind brings significant investor concern, regulatory purview, and, in some cases, consumer protection actions.
Beyond this, there is the reputational impact to consider. Fintech firms have some of the highest profile requirements of the tech space, and failure of something at this magnitude could signal a lack of trustworthiness or ability to execute. A reputation loss could impact a fintech organization’s long-term business prospects.
Dropbox
In 2022, Dropbox revealed a massive data breach. What’s quite interesting about this breach is the modality of the attack. It’s an eye-opening example of how damaging and quickly escalating a well-planned attack can be.
Attack Vector
The attack started with several stolen employee credentials lifted through a relatively advanced phishing attack. The attack targeted employees with a fake authentication page for CircleCI, allowing the attackers to steal both GitHub username/password pairs and the One Time Password values used as a two-factor method.
While this is obviously not ideal, the attack should have stopped there. The real problem lay in the data that was accessed using that credential. The attacker was able to steal 130 code repositories stored by Dropbox on GitHub, and in those repositories was a treasure trove of API keys (in addition to past and present customer data, employee data, and vendor information)
Long-Term Impact
The long-term impact of this attack has yet to be fully realized. While the immediate mitigation strategies employed by Dropbox allowed for some relatively rapid response to what could have been a much worse attack, this breach exposed a lot more than just data. It revealed the structure, library dependency, and development approach of a massive corporation. Such information could be used to inform attack vectors and strikes against infrastructure.
An interesting consideration here is the reputational impact. Dropbox is a great example of clear communication and security controls playing a huge role in mitigating this impact. As the core problem was individual security lapses from employees and not something more systemic, it’s somewhat easier to forgive Dropbox — this, paired with the fact that mitigation strategies were deployed quickly, makes the reputational impact less significant.
Imperva
In 2019, Imperva revealed that it had experienced a data breach of customer data for a large segment of its user base. The attack was caused by accidental exposure of an API key, which led to a database snapshot being accessed, with the data exfiltrated, including email addresses, passwords (hashed and salted), and TLS/API keys for an unspecified number of users.
Attack Vector
This attack vector is an interesting one and highly specific. During a database migration to AWS Relational Database Service, Imperva created a snapshot of their database for testing. To facilitate this testing and development, they also created a compute instance containing an AWS API key. This instance was left publicly accessible.
The attacker infiltrated this compute instance, exfiltrating the AWS API key. Using this key, they then pivoted their attack to the database snapshot, accessing it through the AWS API key and exfiltrating the data contents.
Long-Term Impact
Exposing a compute instance in this manner resulted in a huge exposure. As such, this sort of attack could have long-term impacts on consumer trust. While Imperva responded very quickly once they were alerted of the issue, it took an external bug bounty request for them to realize what had happened, signaling a weakness in their logging and alerting systems and their access auditing.
Conclusion
Securing your API keys is critical to ensuring long-term health, security, and operational wellness. Accordingly, you should consider the security of API keys as a critical long-term business function and an existential issue. Be proactive, plan for the worst-case scenario, and treat it with the respect it deserves. Adopt updated security protocols and be vigilant — because you never know what the next attack vector will be.
