Did They Lose Their Keys? A Black Box Pentest Adventure

The First Clue: APIs Everywhere

As we began mapping the organisation’s external attack surface, we quickly identified several APIs. That is not unusual — modern applications rely heavily on APIs to power mobile apps, web apps, integrations, and third-party services.

But there was a catch.

These APIs were not completely open. Each request required an API key — a unique secret token used to authenticate and authorise access. In theory, this should have stopped us in our tracks.

After all, API keys are often treated as the “keys to the kingdom.”

So… where could we find one?

Enter OSINT: The Art of Digital Detective Work

This is where Open-Source Intelligence (OSINT) comes into play.

OSINT involves collecting information from publicly available sources such as:

• GitHub and GitLab repositories
• Paste sites and forums
• Documentation portals
• Old blog posts and tutorials
• Employee profiles and shared code

Digging deeper, we uncovered something interesting: old public repositories belonging to the organisation. These repositories were no longer actively maintained — digital relics of past projects.

Like dusty treasure chests left out in the open, they had not been reviewed in years.

And inside one of them. Hit the Jackpot!

The Lost Key

Buried in the code was an exposed API key, committed directly into a repository. Alongside it were developer notes, scripts, and references to internal tools that once relied on that key.

Although the code was “old,” the key was still valid.

Armed with it, we returned to the APIs.

Suddenly, the doors opened.

We were able to authenticate successfully, interact with endpoints, and access sensitive data — clearly demonstrating how forgotten secrets and abandoned code can still pose very real risks today.

No malware.

No zero-days.

Just publicly available information and a key that was never revoked.

Why This Is So Dangerous?

Exposed API keys are a common — and critical — security issue. When attackers obtain them, they can:

• Access sensitive application data
• Abuse backend services
• Bypass authentication controls
• Perform actions as a trusted application
• Rack up costs through API abuse
• Pivot deeper into internal systems

In security breaches, attackers do not “break in”; they simply log in using credentials that were unintentionally published.

How to Prevent Lost Keys and OSINT-Based Attacks?

Organisations can significantly reduce this risk by following essential practices:

1. Never Hardcode Secrets
   API keys, tokens, and credentials should never be stored directly in source code.
2. Audit Public Repositories Regularly
   Periodically review GitHub, GitLab, and other platforms for exposed company code.
3. Rotate Keys Frequently
   Assume keys will eventually leak. Regular rotation limits the damage.
4. Revoke Old and Unused Keys
   If a key is no longer needed, disable it immediately.
5. Use Secret Scanning Tools
   Automated tools can detect leaked secrets before attackers do.
6. Apply Least Privilege
   API keys should have only the permissions they absolutely need — nothing more.

The Bigger Lesson

The key lesson from this engagement is simple but powerful:

• Your old code and forgotten repositories can come back to haunt you.
• What seems harmless today — an old demo project, a proof-of-concept, a “temporary” key — can become tomorrow’s breach entry point.

🔑 Do not wait for attackers to find your lost keys.

Secure Your Environment Before It’s Exploited

At Liverton Security, we help organisations identify risks hiding in plain sight — from exposed secrets and API weaknesses to full attack-chain exploitation.

Contact Liverton Security today, to assess your applications and networks. We will help you discover and fix vulnerabilities before the bad guys do.

About Liverton Security

Digital technology has greatly expanded opportunities for businesses, but has also introduced complex security threats that organisations cannot ignore. Protecting people, critical data, and entire organisations requires proactive and continuous security strategies.

As an influential and respected leader in global cybersecurity, Liverton Security specialises in helping businesses and government organisations neutralise evolving cyber threats in the digital age.