🐛 [Bounty] - Sensitive Data Leak through github - (2nd report)

[Hornan7]

Context

Received via the security mailbox. I’m catching up on the backlog and couldn’t find any logs for this one, so I’m adding it here for tracking purposes. Please feel free to close it if it has already been processed.

Hi Team,

I found leaked mockaroo api key from github.

Github link:- https://github.com/IntersectMBO/govtool-proposal-discussion/blob/bb2d9a653a7e90088d9b6ebbe134397256167ec1/frontend/src/lib/api.js#L18

Validation

curl https://my.api.mockaroo.com/proposals.json?key=5d22e910

Steps to reproduce

While Mockaroo generates fake data, the leak can still pose security threats, especially if the data is used in sensitive contexts.

Pollution of Development/Test Environments: If the leaked key is used to inject nonsensical or maliciously crafted data into your development, staging, or QA databases, it can:

Corrupt tests, leading to false positives or negatives.

Halt development and testing workflows as teams waste time cleaning up the mess.

Mask real application bugs with junk data.

Compromise of Data Schemas: An attacker could generate data that violates your application's business logic or schema constraints, potentially causing application crashes or unexpected behavior in non-production environments.

Reconnaissance for Social Engineering: The fake data generated (names, emails, addresses, etc.) could be used to create seemingly legitimate profiles for phishing or social engineering attacks against your company, as the data format would match what your real systems use.

Actual behavior

n/a

Expected behavior

Immediate Actions to Take if a Mockaroo API Key is Leaked

If you suspect your API key has been compromised, act immediately:

1. Rotate the Key (Most Critical): Log into your Mockaroo account, go to the API key section, and revoke the compromised key immediately. Generate a new one.

2. Audit Usage: Check your Mockaroo usage logs and billing dashboard to understand the scale of the abuse.

3. Scan for Exposure: Search through your codebases (especially public repositories on GitHub), CI/CD configuration files, environment files, and shared documents to find and remove the exposed key.

4. Update Everywhere: Replace the old key with the new one in all your legitimate applications, scripts, and configuration files.

5. Contact Support (if necessary): If the financial impact is severe, contact Mockaroo support, explain the situation, and see if they can offer any leniency or payment assistance.