Download the tool: https://github.com/Goon-Security/EAN_CLI
The EAN campaign was centered around Webpack, a module bundling system for Node.JS. An interesting feature this campaign focuses on, is that environment variables are bundled into the Webpack build. The reason for targeting Webpack specifically is due to environment tokens being embedded into the build. NOTE: This is not a problem with Webpack. Developers should read documentation.
While in this particular excerpt only variables with the prefix “REACT_APP_” are mentioned, environment variables passed directly into the React app with the “–env” flag are also embedded in the build. While the Webpack documentation is very clear about this feature, not all developers read the documentation prior to building an application. This allows for a margin of error where environment variables that are designed to not be hardcoded, are automatically hardcoded by Webpack. It is impossible to know for certain if tokens being leaked in the main build are a result of this feature without consulting the developers directly, however, we can test this hypothesis by using the tool EAN and scanning Webpack bundles for tokens.
The remaining tokens were assessed and sorted by potential impact. Upon analysis, numerous high-impact API tokens were discovered.
Social media tokens
The Facebook Graph API token of a popular news / media site was discovered. Two business pages were linked to the token. Both of these pages have ~1,000,000 likes.
A popular review site published both the AWS_SECRET and AWS_KEY. This token lacked proper permissioning and levied sizable credentials to the user.
Many, many, Contentful API keys were found during this campaign. It appears many of these gave the user the ability to download, upload, and delete CDN material, potentially allowing for heavy escalation attacks.
- Jaggar Henry
- Antero Nevarez-Lira
- Donald Connors
- Evelyn Griffin
While there are plenty of tokens that are low to no impact, the sheer amount of tokens found by EAN in Webpack builds makes it statistically improbable to not include targets of high interest. The Goon Security team will continue to research token analysis and false positive reduction techniques. This research is, and will continue to be used, to find new and innovative ways to detect numerous vulnerabilities across thousands of platforms to aid in remediation.