PostHog Personal API key

ID

posthog_personal_key

Severity

high

Vendor

PostHog

Family

API Key

Description

PostHog is an open-source product analytics platform that provides tools for event tracking, session recording, feature flags, A/B testing, and user surveys.

PostHog uses API keys for authentication. Personal API Key (phx_ prefix) are used for full API access including reading and writing data. This key must be kept secret.

Security

A leaked PostHog personal API key could have serious security implications:

  • Unauthorized access to all analytics data, including user behavior, session recordings, and event data that may contain PII.

  • Ability to modify feature flags, potentially enabling or disabling features for all users.

  • Access to project configuration, team member information, and organization settings.

  • Ability to delete data or modify dashboards and insights.

Examples

The following are examples of leaked PostHog keys:

posthog.api_key = "phx_1a2B3c4D5e6F...01234"

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically requires revoking the key.

    For personal API keys: Go to PostHog Settings > Personal API Keys, find the compromised key, and click "Delete". Create a new key and update your applications.

Leaked keys should be immediately revoked and rotated.

  1. Remove the leaked PostHog key from the source code or committed configuration file, and replace the usages of the leaked key with the new value. Environment variables, local files or secret vaults could be used for passing the key, instead of hardcoding the value, as documented in How to Prevent Hard-Coded Secrets.

  2. Check PostHog activity logs to ensure that the key was not used by unintended actors during the compromised period.

  3. Follow best practices for securely handling PostHog API keys:

    • Never commit personal API keys to public repositories.

    • Use environment variables or secret managers to pass API keys in your code.

    • Use separate keys for development and production environments.

    • Monitor API usage for unusual patterns.

    • Implement proper access controls and key rotation schemes.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference