Secret information stored in the application

Secret information stored in the application

Risk: potentially

Description

Leaking secrets, passwords, and API keys can have serious consequences, including:

• Loss of confidentiality: Unauthorized individuals may gain access to sensitive information if secrets or passwords are leaked.
• Loss of integrity: Leaked secrets or passwords may be used to gain unauthorized access to systems or data, potentially leading to the alteration or corruption of that information.
• Loss of availability: In some cases, the unauthorized use of leaked secrets or passwords may result in the denial of access to legitimate users, leading to a loss of availability of the affected systems or data.
• Reputational damage: A company or individual may suffer damage to their reputation if it is revealed that they were not able to properly protect sensitive information.
• Legal consequences: Depending on the nature of the leaked information and the laws in the relevant jurisdiction, the leakage of secrets or passwords could potentially lead to legal consequences.
• Overbilling: Leaking API keys could potentially be used by unauthorized individuals to access API resources and perform actions that may incur charges, leading to overbilling.

Recommendation

Sensitive data should never be included with the application itself. Instead, secure methods for encrypting, storing, and retrieving credentials for your services should be used to access this data as needed.

To prevent the risk of overbilling, consider implementing API key pinning or using authenticated APIs for services with potentially high usage costs. API key pinning helps to restrict the use of a key to a specific application by requiring a cryptographic signature, and it can be enabled by the service provider (e.g., Google Maps).

For keys that may allow unauthorized access, it is important to restrict permissions and roles to non-critical functions, or to expose the service through an authenticated API.

To further enhance security, the API should also have proper access controls and rate-limiting in place, and keys should be rotated regularly to prevent unauthorized use.

Links

• API Security Best Practices
• How to secure your Google Maps API Key
• CWE-200: Data Exposure
• CWE-259: Use of Hard-coded Password
• What Is AWS Secrets Manager?

Standards

• OWASP_MASVS_L1:
  • MSTG_STORAGE_1
• OWASP_MASVS_L2:
  • MSTG_STORAGE_1
• CWE_TOP_25:
  • CWE_798
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_3_2
  • REQ_3_3
  • REQ_3_5
  • REQ_3_6
  • REQ_3_7
  • REQ_6_2