Exposure of confidential secret or token Lob API key
Description
The response body contains content that matches the pattern of a Lob API key was identified. API keys can be used to verify addresses, create campaigns, print, or mail directly to customers. A malicious actor with access to this key can perform any API request to Lob without restriction. Exposing this value could allow attackers to gain access to all resources granted by this token.
Remediation
For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on Credential exposure to the internet.
To rotate an API key:
- Sign in to your account and go to https://dashboard.lob.com/
- In the bottom left corner select the gear icon / “Settings” menu option
- Under “Settings” select the “API Keys” tab
- Under the “Live Environment” in the “Secret API Keys” section, select the rotate arrow icon
- When prompted, select “Yes” in the “Rotate Secret Live API Key” dialog
For more information, please see Lob’s documentation on API keys.
Details
| ID | Aggregated | CWE | Type | Risk |
|---|---|---|---|---|
| 798.70 | false | 798 | Passive | High |