How much damage could an attacker do with free tools and minimal effort? That’s the question I set out to answer – and the results even surprised me. In less than 10 minutes, I managed to exploit exposed API keys, hijack resources, and prove just how vulnerable organizations can be when basic security measures are overlooked.
“Resource jacking” – for those unfamiliar – is the unauthorized use of an organization’s resources by attackers. This could mean exploiting cloud computing power, running up costs on paid services, using your systems to mine cryptocurrency, or even hijacking your infrastructure to run AI workloads like training machine learning models. The implications are massive: inflated bills, degraded performance, and potential security breaches.
To start my experiment, I searched online for free tools that could help uncover sensitive data like API keys, passwords, or certificates. That’s when I came across TruffleHog. It’s free, easy to install – I had it running on my MacBook in minutes – and comes with plenty of tutorials to guide even a beginner.
Next, I needed access to public repositories. Naturally, I turned to GitHub, which is often an unintended treasure trove of sensitive information.
Was I successful? Absolutely. In no time, I found API keys and certificates and used them to access an API service (HuggingFace). The entire process – from setup to resource jacking – took less than 10 minutes.
While I didn’t steal any data, the exercise demonstrated how easily attackers can exploit exposed keys. Imagine if this API service were tied to a paid account. Attackers could use those credentials to drain your resources and rack up bills – all without you knowing.
This was just an experiment, but the takeaway is real: Publicly exposed API keys are a serious vulnerability. Because if I could do this with free tools and no malicious intent, just imagine what a determined attacker could accomplish.
How Did We Do It?
I started by heading to GitHub to check for any public repositories I could test this against. I noticed the “Trending Repositories” section and decided to run TruffleHog on a few of the more interesting ones.
The above was just my first successful attempt. I stopped there because I’m not a malicious actor – my goal was simply to prove how easy this is to pull off.
With Aembit, your developers don’t need to use API keys – or handle credentials tied to non-human or machine identities. We make securing access effortless and secure – so your organization stays protected.
To learn more or try the product for free, visit aembit.io.
Disclaimer
This experiment was conducted solely for educational and awareness purposes to demonstrate the ease with which attackers can exploit exposed API keys and other vulnerabilities. No unauthorized access or harm was caused during this process, and all actions were carried out ethically and responsibly. Prior to posting this blog post, Aembit reached out to the repository owner who ensured Aembit that the code and API key were not used in production. Aembit does not condone or encourage illegal activity. Always ensure you have proper authorization before testing systems or accessing resources.
The Workload IAM Company
Manage Access, Not Secrets
Boost Productivity, Slash DevSecOps Time
No-Code, Centralized Access Management