Authress Service Client Access Key
ID |
authress |
Severity |
critical |
Vendor |
Authress |
Family |
API key |
Description
Authress is an authentication and authorization platform. Authress can be used to verify and protect customer’s APIs without having to write anything additional to generate, maintain, or secure these keys.
Authress provides API Access Keys for accessing their APIs. These keys are used to authenticate and authorize requests to the Authress API.
Security
Any hardcoded Authress Service Client Access Key is a potential secret reported by this detector. Authress recommends against exposing these keys outside of the service’s production runtime:
In most circumstances Authress recommends against exposing the private access key outside of the service's production runtime. The fewer places the key is exposed to the fewer opportunities it has to be compromised. When possible use one of the Authress SDKs to convert the secret access key to a JWT, otherwise please use the static secret access key and private key with care.
Leaking an Authress Service Client access key can have several serious consequences:
-
Unauthorized Access: An attacker with access to the key can potentially impersonate the service client, gaining unauthorized access to your APIs and sensitive data.
-
Data Breach: With access to your APIs, an attacker could retrieve, modify, or delete sensitive information, leading to a data breach.
-
Service Disruption: An attacker could use the access key to disrupt services by making excessive or malicious API calls, leading to downtime or degraded performance.
-
Compliance Violations: Leaked access keys can result in non-compliance with data protection regulations, leading to legal and financial repercussions.
-
Loss of Trust: A security breach can damage your organization’s reputation and erode trust with customers, partners, and stakeholders.
Authress provides some automatic secrets scanning and revocation for exposed Service Client access keys to mitigate these risks. If a key is detected as exposed, it is immediately revoked, and an alert is sent to the account contact.
Examples
my_key=sc_aiqueeShoth4PhoM5...ephoh+sR curl https://login.yourdomain.com -H "Authorization: Bearer $my_key"
In the above example, the sc_aiqueeShoth4PhoM5…ephoh+sR is an exposed Authress Service Client Access Key.
Mitigation / Fix
-
Follow your policy for handling leaked secrets, which typically require renewing the key in Authress. You need to know the Service Client that has the leaked key. Log in the Authress console > Service Clients, select the service client, click the
Editbutton, and then click the trash-bin icon at the right of the leaked key. You could also clickAdd keyto generate a new key for the service client.You may use also this api endpoint: Delete service client access key.
-
Remove the leaked Authress Service Client Access Key from the source code or committed configuration file, and replace it with the new one. Environment variables, local files or secret vaults could be used for passing the key, instead of hardcoding the value, as documented in How to Prevent Hard-Coded Secrets.
-
Check access logs to ensure that the API key was not used by unintended actors during the compromised period. Authress' Audit Streams can be used to monitor API usage.
|
You should consider any sensitive data in commits with secrets as compromised. Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |