TruffleHog The Chrome Extension

API Keys for SaaS and cloud providers are more often making their way into Javascript. That’s why we’re proud to open source a tool that helps find them https://github.com/trufflesecurity/Trufflehog-Chrome-Extension

Below is a real example of an AWS key from weather.com making its way onto the front page, identified with the extension

AWS key on weather.com

You can still view this key today by visiting archive.org and going back to 2020. The chrome extension should alert you there’s a key there.

To understand why keys like this are making their way into Javascript we first need to understand CORS.

By default websites can’t just make request and read the response to other API’s without the foreign API inviting them to do so with a permissive CORS header.

Amazon AWS API’s as well as many other SaaS and Cloud provider API’s have extremely permissive CORS settings, as seen below with the Access-Control-Allow-Origin: * header

Permissive CORS on AWS

This header not only encourages websites to make requests to AWS, but because AWS’s API’s are credentialed, this encourages Javascript to contain AWS credentials as seen below:

Cross Origin Requests to AWS

We’ve observed this pattern on the open internet, but it also seems more common in internal applications at companies. Unfortunately CORS issues can often cascade and lead to multiple points of failure compromising the integrity of the keys on internal apps.

Specifically common apps often have permissive CORS settings. This is a growing trend with API first application development. Because multiple frontend applications often consume the same backend API, many internal apps unfortunately get scopes with permissive CORS settings.

If we combine the above two concepts, we end up with a foreign origin from the open internet with the ability to make requests to internal apps and API’s, view the responses, and steal API keys hardcoded client side in the internal applications:

The chrome extension has a few other nice features as well, such as the ability to detect .git directories and .env files, both of which can also contain credentials in them.

Here’s again a link to the repo https://github.com/trufflesecurity/Trufflehog-Chrome-Extension

The extension is currently pending security review on the google extension store, but in the mean time it can be side loaded.

Happy hacking!

Dylan Ayrey

Recent Posts

Blog

Driftwood: Know if Private Keys are Sensitive

Blog

It’s impossible to find every vulnerability, so we don’t try to

Blog

Introducing TruffleHog v3

Take control of your secrets with TruffleHog. Contact us to get started on a free 7-day trial.

© 2022 Truffle Security. All Rights Reserved.