Customer.io App Keys
ID |
customerio_app_keys |
Severity |
high |
Vendor |
Customer.io |
Family |
API Token |
Description
Customer.io is an automated messaging platform who gives more control and flexibility to craft and send data-driven emails, push notifications, in-app messages, and SMS.
The App API provides methods to send transactional messages and trigger broadcasts. In both cases, your payload acts as a message "trigger" and can contain data that you reference in your messages using liquid—{{trigger.<data>}}.
The other endpoints help you retrieve information about people, segments, campaigns, broadcasts, etc; it also lets you update campaign actions, messages, newsletter variants, etc.
Security
Any hardcoded Customer.io API Key is a potential secret reported by this detector.
Accidentally checking-in the key to source control repositories could compromise your Customer.io account.
Mitigation / Fix
-
Remove the
API Keyfrom the source code or committed configuration file. -
Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). API Key revocation can be handled from your dashboard.
-
If under a git repository, you may remove unwanted files from the repository history using tools like
git filter-repoorBFG Repo-Cleaner. You may follow the procedure listed here for GitHub.
|
You should consider any sensitive data in commits with secrets as compromised. Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |