Application Programming Interfaces (APIs) are designed to provide programmatic access to protected functionality without requiring a user to interact with a web front-end. This access can be very valuable to legitimate users and cybercriminals alike, so protecting this access from misuse is vital.
API security can be compromised in a variety of different ways. Programming or authentication flaws can allow an attacker to overcome or bypass an application’s built-in protections against unauthorized use. However, the simplest way for an attacker to gain access to an API is if the developer or user leaks API credentials. This type of leak has become more prevalent as increasing amounts of code are placed on public content management services like Github.
The Value Of Distributed Version Control
A Distributed Version Control System (DVCS) like Github can be invaluable to an organization’s development team. Github, and similar tools, work on a client-server model where there is a single “master” code repository, and each user has their own individual repository. A user can make changes to the code in their individual repo, push those changes to the master copy, and pull down and merge any changes that other developers may have made in the meantime. Github also allows branching of code into multiple versions, merging branches later, and tagging certain versions (i.e. as releases).
The use of a tool like Github allows a development team to work effectively in parallel without the overhead of manually merging code changes after different developers have changed the same code in different ways. Github also tracks the full history of the project and allows restoration of a past version if a mistake has been made. Developers also have the option of using a private or public Github repository. A master repo can be hosted on a local server or on the Github web service. Public hosting is useful for open source code and more distributed projects, but it also can have its security implications.
Security Implications Of DVCS
While DVCSs like Github are valuable to developers, they also represent a significant security risk. A great deal of modern software is designed to interconnect and interact with other software. This is commonly performed by using the other program’s API.
Since many systems want to control access to their API, they assign users API keys. These API keys provide all of the information necessary to authenticate to the system and are often as good as a user’s username and password. Since these keys are so powerful, it is important to protect them from being leaked. However, these keys also need to be available to software for them to use APIs to interact with other software. As a result, many developers will embed API keys in software or include them in configuration files for a software project.
When using a DVCS like Github, where source code can be publicly visible, this can be a problem. Anyone with access to a project’s source code can scan it for data that looks like sensitive information (API keys, passwords, etc.) allowing this data to be uploaded as part of the project compromises a user’s account on other services.
The Next Step In Github Scanning
The fact that source code on Github can reveal sensitive data is nothing new. Several scanners designed to search Github for sensitive data already exist, and Github itself has a program that scans for sensitive information accidentally leaked on their platform. The level of visibility and access that Github has on their own platform means that they are likely to identify and deal with data leaks before other tools.
However, a recently released tool called Shhgit may change this. Shhgit is designed to listen to the Github Events API, which provides information about the latest changes that developers are making to their code repositories on the platform. After comparing these requests to signatures for 120 different types of sensitive information, Shhgit alerts the user if any valuable data is leaked by Github uploads.
While users are limited to 5,000 requests per hour on the API, the fact that they are viewing the most recent uploads to the platform increases the probability that an attacker using Shhgit will find a leaked API key before Github’s token scanning project identifies it. As a result, this new tool can be a valuable component of a cybercriminal’s toolkit and increase the security risk that online source code repositories like Github pose to security.
Ensuring API Token Security
The use of Github for code version control can dramatically increase the effectiveness and visibility of the development process. However, the use of public repositories on Github can negatively impact security if done improperly. Including API keys and other sensitive information in source code uploads could leak them to unauthorized parties before the issue is detected.
When using a public code repository for code that may contain potentially sensitive information, it is important to do so correctly. Github has the ability to mark files or folders to be ignored during uploads, which can protect configuration files that contain API or cryptographic keys. Scanning source code with a tool designed to detect data leaks is also wise before pushing to a repository. Unauthorized access to APIs provides an attacker with a great deal of control over a service or user’s account, so it is vital that API keys and other credentials are protected.
