Exposure of confidential secret or token Heroku API key or application authorization token
Description
The response body contains content that matches the pattern of a Heroku API key or application authorization token was identified. API keys and authorization tokens can be used to perform API calls on behalf of a user or account. A malicious actor with access to these tokens can access the Heroku API platform and all deployed applications. Exposing this value could allow attackers to gain access to all resources granted by this token.
Remediation
For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on Credential exposure to the internet.
To regenerate an API key for the identified user:
- Sign in to your account and visit https://dashboard.heroku.com/account
- Under the “API Key” section, select “Regenerate API Key”
- When prompted, select “Regenerate API Key” in the “Regenerate API Key” dialog
To regenerate an application authorization token:
- Sign in to your account and visit https://dashboard.heroku.com/account/applications
- Under the “Authorizations” section, find the registered authorization that contains the identified token
- Select the pencil icon
- Select “Regenerate token”
For more information on API keys, see their FAQ on generating API keys. Heroku does not have any documentation on application authorization tokens.
Details
| ID | Aggregated | CWE | Type | Risk |
|---|---|---|---|---|
| 798.59 | false | 798 | Passive | High |