A few holiday seasons ago, Paul S was doing the requisite holiday shopping online, looking for those perfectly impersonal but mildly thoughtful gifts that many companies specialize in. This was one of the larger such vendors, well known for its fruit-filled gift baskets. As is not uncommon for our readers, when the site started misbehaving, he pulled up the dev tools. He didn’t solve the problem, but he did learn a lot about how they were managing their API keys, as this was exposed to the client:
env: {
APP_AUTH0_GUID: 'ctZZL1BqgKm9kBmDEKAjt0yBeQ47Cpwl XS0xxpLFS5g8o-EUpSu4fi9ecOqN19WnXn-EqI9yaupwme22bKuBd2jH3Kf3QngZ',
APP_LOGGING_ENABLED: 'true',
APP_LOGGING_SERVICE_PATH: 'r/api/logging/mbp-ui',
REACT_APP_MBP_LOGGER_CONSOLE: 'ERROR',
APP_TIQ_ACCOUNT: '1800flowers',
APP_TIQ_PROFILE: 'full',
APP_TIQ_ENV: 'prod',
APP_PAYPAL_SDK_URL: 'https://www.paypal.com/sdk/js',
APP_PAYPAL_CLIENT_ID: 'AcYrxrOkFwUnMKRoJmkOR0N6caopqRNqwNRxy6H-EvZ-IKUz22i-E0uT0uMT7JQZEC33Oy1HCNsgm_le',
APP_PAYPAL_ENV: 'production',
APP_PAYPAL_SOURCE: 'PWA',
APP_VENMO_ENV: 'production',
APP_VENMO_PROFILE_ID: '2705494007504552889',
APP_AUTH_LOGIN_SOURCE: 'undefined',
APP_SG_BASKET_SCRIPT: 'https://cdn2.smartgiftit.com/scripts/widgets/gift-basket.js',
APP_AUTH_DOMAIN: 'login.celebrations.com',
APP_AUTH_AUDIENCE: 'celebrations-prod.1800-flowers.auth0.com',
APP_STATUS_BAR_ENABLED: 'true',
APP_WALLET_ENABLED: 'true',
APP_VERIFY_ADDRESS_HOST: 'api.edq.com',
APP_VERIFY_ADDRESS_AUTH_TOKEN: '47d991c9-043e-4073-bee3-a5c8922baa3a',
APP_FULLSTORY_ORG_ID: 'MXD30',
APP_GRAPHQL_ENV: 'production',
APP_VISA_CHECKOUT_API_KEY: 'B0LQRDVCE0LWKBHR880J14gCRlEjr_UqLhh6V-yYRAmcvD0W8'
}
I’ve gone ahead and mangled the keys, and given that this was a few holidays ago, I’d hope the retailer in question has fixed their website. But as you can see, it was pushing API keys for payment processors, along with potential authentication tokens and internal IDs. Now, I would hope most of these required additional authentication to be useful, and that a malicious actor couldn’t do anything nasty with this information- but that’s a dim hope. Even with the data exposed here, I wonder if someone could flip APP_PAYPAL_ENV to “development” or “test” and run some transactions through. Or do the same with Venmo.
This is a React app, based on some of the keys, using Graphql for communicating with the back end, and that hits at the fact that it’s a single-page application. Probably, the developers were trying to build once for the web and for a “website bundled in an app” deployment for smart phones. And the result is that they weren’t thinking about the distinction between “public” and “private” information- they had state to manage,so they managed it. By sending it to the client. Where anyone could see it. But it looked good, they shipped it, and they made sales, so everyone was happy.
For a time.
