[Webinar] Ditch Static Credentials: Embrace WIF for Enhanced Security | Nov 6 at 11 a.m. PT | Register Now

Aembit Earns Prestigious Runner-Up Spot at RSA Innovation Sandbox Contest! Watch the Announcement

How I Used Free Tools to Resource Jack API Keys

Picture of physical keys personifying resource jacking API keys

How much damage could an attacker do with free tools and minimal effort? That’s the question I set out to answer – and the results even surprised me. In less than 10 minutes, I managed to exploit exposed API keys, hijack resources, and prove just how vulnerable organizations can be when basic security measures are overlooked.

“Resource jacking” – for those unfamiliar – is the unauthorized use of an organization’s resources by attackers. This could mean exploiting cloud computing power, running up costs on paid services, using your systems to mine cryptocurrency, or even hijacking your infrastructure to run AI workloads like training machine learning models. The implications are massive: inflated bills, degraded performance, and potential security breaches.

To start my experiment, I searched online for free tools that could help uncover sensitive data like API keys, passwords, or certificates. That’s when I came across TruffleHog. It’s free, easy to install – I had it running on my MacBook in minutes – and comes with plenty of tutorials to guide even a beginner.

Next, I needed access to public repositories. Naturally, I turned to GitHub, which is often an unintended treasure trove of sensitive information.

Was I successful? Absolutely. In no time, I found API keys and certificates and used them to access an API service (HuggingFace). The entire process  – from setup to resource jacking – took less than 10 minutes.

While I didn’t steal any data, the exercise demonstrated how easily attackers can exploit exposed keys. Imagine if this API service were tied to a paid account. Attackers could use those credentials to drain your resources and rack up bills  – all without you knowing.

This was just an experiment, but the takeaway is real: Publicly exposed API keys are a serious vulnerability. Because if I could do this with free tools and no malicious intent, just imagine what a determined attacker could accomplish.

How Did We Do It?

I started by heading to GitHub to check for any public repositories I could test this against. I noticed the “Trending Repositories” section and decided to run TruffleHog on a few of the more interesting ones.

 

I got several hits on the fourth repository I tested. The results included a few hundred “unverified” items.

This included a call to HuggingFace using an exposed API key.

It also included a link to the GitHub repository, which revealed exactly which model was being used.

Of course, it wouldn’t work without the Bearer key.

But with a simple copy and paste of the publicly shared API key from the GitHub repository – ta-da, resource jacked.

The above was just my first successful attempt. I stopped there because I’m not a malicious actor – my goal was simply to prove how easy this is to pull off.

With Aembit, your developers don’t need to use API keys – or handle credentials tied to non-human or machine identities. We make securing access effortless and secure – so your organization stays protected.

To learn more or try the product for free, visit aembit.io.

Disclaimer

This experiment was conducted solely for educational and awareness purposes to demonstrate the ease with which attackers can exploit exposed API keys and other vulnerabilities. No unauthorized access or harm was caused during this process, and all actions were carried out ethically and responsibly. Prior to posting this blog post, Aembit reached out to the repository owner who ensured Aembit that the code and API key were not used in production. Aembit does not condone or encourage illegal activity. Always ensure you have proper authorization before testing systems or accessing resources.

Discover
Aembit logo

The Workload IAM Company

Manage Access, Not Secrets

Boost Productivity, Slash DevSecOps Time

No-Code, Centralized Access Management

You might also like

The new capability enables granular access without having to manage secrets.
If you think non-human identity security is just service account management in disguise, you might be missing the bigger picture.
Starting March 31, new payment security rules tighten controls on non-human identities – pushing organizations beyond IGA to real enforcement.