Pusher Channels Keys

ID

pusher_channel_keys

Severity

high

Vendor

Pusher

Family

API Token

Description

Pusher is a hosted API service which makes adding real-time data and functionality to web and mobile applications seamless. Pusher works as a real-time communication layer between the server and the client. It maintains persistent connections at the client using WebSockets, as and when new data is added to your server.

Credentials are used to publish events in channels or to retrieve information about the connected users.

Security

Any hardcoded Pusher Key is a potential secret reported by this detector.

Accidentally checking-in the keys to source control repositories could compromise your Pusher account.

Examples

development:
  pusher_app_id: '425841'
  pusher_app_key: '2fd9acbd37b06708983b'
  pusher_app_secret: '7a3dba4ceaab5040da47'

Mitigation / Fix

  1. Remove the Key from the source code or committed configuration file.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). API Key revocation can be handled from the app dashboard.

  3. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://pusher.com/docs/channels/server_api/overview