DigitalOcean Token

ID

digital_ocean_token

Severity

critical

Vendor

Digital Ocean

Family

API Token

Description

DigitalOcean is a cloud infrastructure provider which provides developers, startups, and SMBs with cloud infrastructure-as-a-service platforms.

It provides an API to programmatically access its products and services where a user can manage all the features available in the control panel.

This detector looks for an API token, either a Personal Access Token, an OAuth Access Token, or an OAuth Refresh Token.

Security

Any hardcoded Digital Ocean token is a potential secret reported by this detector.

Accidentally checking-in the key to source control repositories could compromise your Digital Ocean account.

The Digital Ocean Dashboard provides a list of all actions (login, resource creation and deletion) that happened in the last 12 months. This can be accessed from the My Profile/Security section of the dashboard.

Examples

# A personal access token (redacted!)
digital_ocean_token = dop_v1_3c9cf...e53b2e

Mitigation / Fix

  1. Follow your policy for dealing with leaked secrets, which typically requires revoking or regenerating the token. How to do it depends on the type of the token:

    1. For a leaked personal token (starting with dop_v1_), you should revoke it. You may identify the user that owns the token using the /v2/account endpoint, for example:

      curl -X GET \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $LEAKED_TOKEN" \
"https://api.digitalocean.com/v2/account"

      The token owner then can go to the DigitalOcean dashboard, and in the Tokens tab, locate the leaked token, the click the '…​' on the right, and click on Delete (or Regenerate for renewal) on the pop-up menu. Then type the name of the token to confirm deletion.

      Take note of the value in the Last Used column for the token to revoke, and the new token value if it was regenerated.

    2. For a leaked OAuth token (starting with doo_v1_), you could revoke it using the Revoke Token Flow, sort of 'token suicide':

      curl -X POST https://cloud.digitalocean.com/v1/oauth/revoke \
     -d $LEAKED_TOKEN \
     -H "Authorization: Bearer $LEAKED_TOKEN"

      Alternatively, as an administrator, go to the Applications & API > OAuth Applications tab, click on the …​ to the right of the target application, and then click the View option. In the OAuth application details, click Revoke all user tokens.

  2. Remove the secret from the source code or committed configuration file. Replace hard-coded secrets with the new token using a more secure alternative, such as one of the options documented in How to Prevent Hard-Coded Secrets.

  3. If you suspect any unexpected access, go to the Security History section in the Settings of your DigitalOcean dashboard. You can then search for actions, the owing user

  4. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference