Abstract API Key
ID |
abstract |
Severity |
low |
Vendor |
Abstract API |
Family |
API key |
Description
Abstract API provides a suite of APIs for software developers, as a platform to easily integrate various common services into applications. Services include email and phone validation, IP Geolocation, and Company information
Security
Each API requires a different API key, which is a simple secret mainly used for licensing and billing, as the information returned by the API is not customer-specific.
For this reason, the impact of leaking an Abstract API key is limited. Anyway, unauthorized users may abuse any valid Abstract API key and cause unexpected charges in your invoices !
The API key is passed as a query parameter named api_key in the request URL. The key is not intended to be a secret, and could be shown in logs, caches and other locations.
Any hardcoded Abstract API Key is a potential secret reported by this detector.
Mitigation / Fix
-
Follow your policy for handling leaked secrets, which typically require revoking or renewing the key in the target API. Open the link to
https://app.abstractapi.com/api/<API>/settings, authenticate yourself, and click theRotateaction. Take note of the new key. -
Remove the leaked Abstract API Key from the source code or committed configuration file. Do not leak again the new key! Instead, use environment variables, local files or secret vaults for passing the secret, instead of hardcoding the value, as documented in How to Prevent Hard-Coded Secrets.
-
Check access logs to ensure that the secret was not used by unintended actors during the compromised period. Each API has an usage chart at
https://app.abstractapi.com/api/<API>/usagewhere you can determine if there is an unexpected large number of requests during the exposure window.
|
You should consider any sensitive data in commits with secrets as compromised. Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |