Adafruit IO Key

ID

adafruit_io_key

Severity

high

Vendor

Adafruit IO

Family

API Key

Description

Adafruit IO is a cloud-based IoT (Internet of Things) platform created by Adafruit Industries.

Security

Any Adafruit IO Key is a potential secret reported by this detector.

When making HTTP requests to Adafruit IO, you can include the API key as a query parameter named x-aio-key or as a request header named X-AIO-Key.

it is a best practice to avoid including your API key in the URL as a query parameter, as the key can be revealed in logs, caches and many other places.

Examples

curl -H "X-AIO-Key: aio_gHnr301vnG494RWYq490x3vmPJ7H" \
    https://io.adafruit.com/api/v2/test_username/feeds

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require regenerating the key. Log in to https://io.adafruit.com, click on the View Adafruit IO Key. Your active key will be displayed. Click the REGENERATE AIO KEY button to recreate the key, and take note of it to replace your scripts / sketches with the new key.

  2. Remove the leaked key from the source code or committed configuration file, and make provisions so the source is not leaked again, for example in ignore files such as .gitignore.

  3. Modify the way the key is passed to scripts and sketches. Environment variables or local files could be used for passing the AIO key, instead of hardcoding the value, as documented in How to Prevent Hard-Coded Secrets.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

  1. Check access logs to ensure that the secret was not used by unintended actors during the compromised period.

Reference