How did I extract the API key in less than half an hour? my story with it

On Nov 19 2024, my first entry into the Hacker One platform, and I found a site with few discovered vulnerabilities. I was attracted by the matter and said that it did not have many testers and I could find myself in it.

I entered the program and found domains and chose the main domain and opened it to examine it and learn about the structure of the site. It was simple. I logged in and my login was intercepted after I pressed login.

Of course, I intercepted the request with the Burp Suite tool and I did a drop for the first request, which is the registration request, and the second request was a request containing an API key. It turned out that I submitted it directly to the program and did not provide them with the possibility of exploitation. The problem was that the report provided informative haha. It was a mistake on my part that I gave them the key without giving them the exploitation process, which prompted them to examine the key haha.

Then I presented a way to exploit the key half an hour after responding to the report after someone discovered the vulnerability two years ago. I don’t know why they haven’t closed it yet, but they gave me a duplicate of my report and the report that preceded me by two years haha, it was stated that it was a high-risk vulnerability, unlike me who stated that it was medium.

Now I will explain where to find api keys
1. In Public Requests:
Using DevTools:
Open the Network tab.
Search in the sent requests (XHR/Fetch).
Check fields like:
Authorization or X-API-Key in Header.
Presence of keys inside Body like “api_key”: “xxxxx”.
Example:
{
“api_key”: “1aa5b8f3c8bc4674e5ae4169bbc901”
}
2. In JavaScript files:
Open the source code:
Go to View Page Source or Sources in DevTools.
Search using words like:
apiKey
authToken
config.
Example:
javascript
onst apiKey = “1aa5b8f3c8bc4674e50b4169bbc901”;
tools :
Chrome DevTools

What can an attacker do?

Send unauthorized data to analytics servers.
Obfuscate event logs, which hinders analytics from working.

In conclusion, I told my story and I do not accuse anyone from the team in any way, but I wanted to thank you for my story, which I hope will benefit you. The platform is useful and enjoyable for discovering vulnerabilities and has merit in the future, which adds information to my personal biography. I hope you succeed.