FS#180 : Responsible Disclosure - Exposure of Sensitive API Keys on Alwaysdata Infrastructure

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by raden - 09.06.2025
Last edited by cbay - 09.06.2025

FS#180 - Responsible Disclosure - Exposure of Sensitive API Keys on Alwaysdata Infrastructure

To: Alwaysdata IT Security Team
From: Raden Adhiyaksa Indiharto
Date: June 9, 2025
Vulnerability: Sensitive Data Exposure

Dear Alwaysdata Security Team,

I hope this message finds you well. I am reaching out to responsibly disclose a security issue I have identified within your infrastructure that may pose a risk to your services and your users.

Vulnerability Summary During passive reconnaissance of your publicly accessible infrastructure, I discovered multiple sensitive API keys and service credentials exposed in plaintext, including:
1. Twilio ACCOUNT_SID and APP_SID values
2. Heroku API keys
3. Amazon AWS S3 bucket URLs

These secrets were found in a file named secret.txt on your domain (alwaysdata.com). The exposed credentials could potentially allow unauthorized access to third-party services, leakage of customer data, or resource abuse.

Steps to Reproduce 1. Access the Alwaysdata public directory.
2. Locate the file named secret.txt.
3. Run the following commands to filter sensitive credentials:

cat secret.txt | grep Heroku
cat secret.txt | grep twilio
cat secret.txt | grep aws

4. This revealed a number of API keys and identifiers, as shown in the screenshots I have attached to this report.

Suggested Remediation 1. Immediately remove the publicly exposed file or restrict access to it.
2. Revoke and rotate all exposed API keys (Twilio, Heroku, AWS, etc.).
3. Conduct an internal audit to ensure no unauthorized access has occurred using these credentials.
4. Consider implementing secret scanning tools in your CI/CD pipelines to prevent future exposures.

Additional Note At this point, no further exploitation has been carried out, and no services have been interacted with using the exposed credentials. However, if you require a deeper assessment or verification of the actual impact and exploitability, I am open to performing controlled testing with your permission.

Please advise if the investigation should stop at this discovery phase, or if you would like me to assist further in validating the scope of the exposure.

Disclosure Policy This report has not been shared publicly. I am committed to responsible disclosure and will not publish or use this information in any way that may harm your services or users. Please let me know if you need any further details or assistance in mitigating this issue.

Thank you for your attention, and I look forward to your response.

Kind regards,
Raden Adhiyaksa Indiharto

email: radenadhiyaksa89@gmail.com

Link Video, Image, and File PoC
https://drive.google.com/drive/folders/1pTvtlZmsxj9LIhyAwNnDN5ZRqGnweZs3?usp=sharing

Closed by cbay
09.06.2025 10:04
Reason for closing: Invalid

Comments (5)
Related Tasks (0/0)

cbay commented on 09.06.2025 07:24

Hello,

These secrets were found in a file named secret.txt on your domain (alwaysdata.com).

Can you please give the exact URL where that file would be located?

Kind regards,
Cyril

raden commented on 09.06.2025 09:40

Dear Cyril,

I sincerely appreciate your prompt response and attention to the vulnerability I reported.

For your reference, I have compiled a list of URLs/endpoints where secret keys were identified. You may access the files through the following link:
https://drive.google.com/drive/folders/1pTvtlZmsxj9LIhyAwNnDN5ZRqGnweZs3?usp=sharing

Kindly review the file named:

URL_endpoint_secret_key_founded.txt

for a summary of the findings.
If you wish to see the original version, please refer to the file titled:

secret.txt

Thank you once again for your attention and support.

Warm regards,
Raden

cbay commented on 09.06.2025 09:44

I don't understand that list. Take that item for instance:

twilio_account_sid → act-we-can-be-heroes-just-for-one- → https://blog.alwaysdata.com/tag/node-js

What does that even mean? What does https://blog.alwaysdata.com/tag/node-js has anything to do with Twilio, which we don't even use?

raden commented on 09.06.2025 09:57

Dear Cyril,

Thank you very much for your clarification.

You are absolutely right — the item twilio_account_sid → act-we-can-be-heroes-just-for-one- → https://blog.alwaysdata.com/tag/node-js is not a valid secret key, and I completely understand your confusion.

To clarify, the list of endpoints in URL_endpoint_secret_key_founded.txt was generated using an automated tool called SecretFinder.py during my reconnaissance phase. This tool scans for patterns that may resemble secret keys or credentials, but it can also produce false positives such as the one you mentioned.

Please feel free to disregard any item that clearly does not correspond to sensitive data or valid secrets. I included the full list in the interest of transparency, but I fully understand that not all entries are relevant or actionable.

Thank you again for your time and consideration.

Kind regards,
Raden

cbay commented on 09.06.2025 10:04

I'm pretty sure it's all false positives.

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task