AccuWeather API key
ID |
accuweather_apikey |
Severity |
high |
Vendor |
AccuWeather |
Family |
API Key |
Description
AccuWeather is a major commercial weather services company that provides weather information to consumers and businesses.
AccuWeather exposes an API that provides weather data for any geographical location. It uses API keys for authentication.
Security
Due to the way the API is designed, API keys are relatively easy to be disclosed, as it is encoded in the request URL: web server and application access logs typically record full URLs, stay in the browser history and cache data (browser, proxies, CDNs).
Any hardcoded AccuWeather API Key is a potential secret reported by this detector.
Examples
accuweather_apikey := jBROSPFlH3WaKDoRonOahPPa83vhzvvE url := "https://dataservice.accuweather.com/locations/v1/cities/search?q=Beijing&apikey=" resp, err := http.Get(url + accuweather_apikey)
Mitigation / Fix
-
Follow your policy for handling leaked secrets, which typically require revoking the api key in AccuWeather APIs dashboard.
AccuWeather does not provide a way to revoke an existing key, so you need to delete the application and recreate it: Go to AccuWeather MY APPS, select the app with the leaked key and click on the "Delete app" link.
-
Create a new app: click the
+Add a new Appbutton, fill the form, and when created, take note of the API key. -
Replace the leaked key with the new one, but using a more secure alternative instead of hard-coding. See How to Prevent Hard-Coded Secrets for full details.
-
(Optional) If under a git repository, you may remove unwanted files from the repository history using tools like
git filter-repoorBFG Repo-Cleaner. You may follow the procedure listed here for GitHub.
|
You should consider any sensitive data in commits with secrets as compromised. Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |