Hey Developer, Give me your API keys.!!

Devansh batham
Jul 18, 2018 · 4 min read


This is just another friendly article, without any secret “Ninja” techniques..!!

Credits : thanks to security team of Infoziant Labs for consistent support..!

DISCLAIMER : In this blog post I am not gonna talk about any advance stuff ,neither any secret techniques, this blog is all about , how developers sometimes make silly mistakes..(after all developers are human too :P )!!

Now, some of you might say , :

Okay, okay . Hold on ..!! and read the full article..!!

Every year we notice data breaches,hacks,ransomware attacks on big IT giants , In most of the hacks , the reasons are Server side system vulnerabilties,Client side flaws of the application, and social engineering too..!!

img src Feedyeti.com

But there are few cases in which the reasons of these kind of attacks are just some silly mistakes made by developers, Like : leaving their secret API keys,AWS secret Keys,Mysql credentials,their slack channel’s credentials in their public respositories,

even am not an expert though

Later on in this post I will show you one of my recent findings , which illustrates how I found a secret api key of Crowdin’s test project , and succesfully pwned their test project. [The issue is Fixed now]

What worse can be done..!

In the past I had seen some cases, where developers left hardcoded credentials in android application of their company , which later gave me access to their admin dashboard,

credits to the creator of this meme :p

Some developers encode the api keys using Base64, and think the attacker will not be able to find the API keys, I mean are they serious, Base64 encoding is not the solution to these issues, Base64 encoded API keys can easily be decoded..!!

CREDITS TO “Rojan Rijal” for his blog post : https://sites.google.com/securifyinc.com/rojanrijal/finding-leaked-sensitive-data

Now let me narrate an interesting incident..!

“How I got complete access to Crowdin’s testproject[RUBYTESTAPI]” ..!!

What Crowdin is ?

“Crowdin is a localization management platform designed to automate localization within agile software development. With more than 1,000, 000 user accounts, platform is used by development companies in 140 countries”.

‘-for more info about crowdin read this : https://www.crunchbase.com/organization/crowdin-'

I decided to test crowdin for vulnerabilties , because they offer cool goodies pack for valid vulnerabilties..!!

So I started finding some code level bugs in their github respositories , Soon I ended up with a page that is discosing their secret API key , here : https://github.com/crowdin/crowdin-api/blob/master/bin/console

api_key = ‘79323cdcd6b4566154c4fb9c6bbd3be1’
project_id = ‘rubytestapi’
base_url = ‘https://api.crowdin.com'

Note : This API key is now expired,

As you can see above I got api_key and project_id .At that moment ,I have no idea , How I can use this api key for accessing their project.. So I started reading their API docs here : https://support.crowdin.com/api/api-integration-setup/

Soon I found that I can takeover their project : “rubytestapi” , using API_key,

After reading their API docs , I am all set to takeover their test project.

For enumerating Project Details of their project “rubytestapi” , the request will be :

GET https://api.crowdin.com/api/project/{project-identifier}/info?key={project-key}

NOTE : the project-identifier is “rubytestapi” and the project-key is “79323cdcd6b4566154c4fb9c6bbd3be1” ,

When I sent that GET request using burp , I got a 200 OK response , and complete details of their project(“rubytestapi”)


full info of their project “rubytestapi”

Now what can I do with their project (“rubytestapi”)

I can add files,delete files,upload translation,check translation status, and many other things (see here : https://support.crowdin.com/api/info/), In short, I had complete access to their project,

credits to the creator of this meme :p

Soon after the discovery , I first sent an email to crowdin to confirm that the rubytestapi project is owned by them or not. And within few minutes I got this response :

So it is clear that the project is owned by crowdin..!!

, I reported the issue to them along with Proof of Concept, They triaged and fixed the report within 1 hour(Kudos to them for their awesome response time)

I was rewarded with their Goodies pack , and got listed in their hall of fame :



Also check out these awesome blogposts,


want to chat.? connect with me

Twitter : @devanshwolf

Facebook : Devansh Batham


Devansh Batham(Infoziant Labs)

Have some penetration testing or security projects ? Give a shout to Infoziant Labs(Tony@infoziant.com)


Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store