Discovering Leaked API Tokens in Webpack JS Files

On Wednesday, July 8th, Goon Security released research outlining the problems involving how researchers scan code for leaked API tokens. Several false positive reduction techniques were introduced, and now it is time to go over how they fared in the real world. While in controlled testing these reduction techniques were able to reduce false positives by a significant amount,  an EAN campaign was launched to discern whether or not it is feasible to scan thousands of live JavaScript files for leaks.

Download the tool: https://github.com/Goon-Security/EAN_CLI

Webpack

The EAN campaign was centered around Webpack, a module bundling system for Node.JS. An interesting feature this campaign focuses on, is that environment variables are bundled into the Webpack build. The reason for targeting Webpack specifically is due to environment tokens being embedded into the build. NOTE: This is not a problem with Webpack. Developers should read documentation.

While in this particular excerpt only variables with the prefix “REACT_APP_” are mentioned, environment variables passed directly into the React app with the “–env” flag are also embedded in the build. While the Webpack documentation is very clear about this feature, not all developers read the documentation prior to building an application. This allows for a margin of error where environment variables that are designed to not be hardcoded, are automatically hardcoded by Webpack. It is impossible to know for certain if tokens being leaked in the main build are a result of this feature without consulting the developers directly, however, we can test this hypothesis by using the tool EAN and scanning Webpack bundles for tokens.

This campaign lasted a total of 11 hours and scanned thousands of JavaScript files. Many “google-site-verification” keys were discovered, as well as integrity hashes, which were very easily discarded through trivial parsing. The remaining tokens were a mix of public Captcha keys and public analytics tokens which were not as easily ignored.

The remaining tokens were assessed and sorted by potential impact. Upon analysis, numerous high-impact API tokens were discovered.

Social media tokens

The Facebook Graph API token of a popular news / media site was discovered. Two business pages were linked to the token. Both of these pages have ~1,000,000 likes. 

AWS Buckets

A popular review site published both the AWS_SECRET and AWS_KEY. This token lacked proper permissioning and levied sizable credentials to the user.

Contentful CDN

Many, many, Contentful API keys were found during this campaign. It appears many of these gave the user the ability to download, upload, and delete CDN material, potentially allowing for heavy escalation attacks.

Team:

  • Jaggar Henry
  • Antero Nevarez-Lira
  • Donald Connors
  • Evelyn Griffin

While there are plenty of tokens that are low to no impact, the sheer amount of tokens found by EAN in Webpack builds makes it statistically improbable to not include targets of high interest. The Goon Security team will continue to research token analysis and false positive reduction techniques. This research is, and will continue to be used, to find new and innovative ways to detect numerous vulnerabilities across thousands of platforms to aid in remediation.