How to find and exploit bugsnag API Key

Hi everyone, I am Nikhil aka socalledhacker, I am a security researcher , penetration tester, certified ethical hacker and a web3 noob. In my bug bounty career I discover and exploited lot’s of API keys that are hardcoded in Javascript file.

There is a Github repo called Keyhacks in which lot’s of API key’s exploitation methods are available but not bugsnag api key exploitation method available in this repo.

In this article I am going to tell you How I found this api key hardcoded in multiple websites and how I exploit this so let’s begin…

Bugsnag api key is used for error management which is a paid service and attacker can generate fake errors which can create trouble for company and there is a financial loss to the company.

I mostly found this API key on this path “/cdn/shopifycloud/boomerang/shopify-boomerang-1.0.0.min.js”

You can use trufflehog chrome extension it will also helps in automatic api detection.

How to exploit this:

Go to this url: https://bugsnagerrorreportingapi.docs.apiary.io/#reference/0/notify/send-error-reports?console=1 and add click on add new parameter and then add random parameter and add api key to in it’s value and click on call if response is 200OK then you can report this to company.

SO, It’s time to create report..

Description:

Your application is using https://notify.bugsnag.com/ for error management and this website provide api key for error reporting which is leaked in javascript file.

Steps to reproduce:

Impact:

With the help of this api key attacker can generate fake error logs in your error log monitoring system and this api key leaks also affect in financial losses

That’s it for this article I will upload more articles related to web2 bugs covering all p4 to p1 bugs in near future so stay tuned … :)

Follow me on : Linkedin Twitter/X Github and on Medium.