API Key and OAuth Token Disclosure

Hello all, I am thinking I stumbled upon something very interesting. In a random bucket, I found a javascript file which has a hard-coded API key and OAuth token. I added the header Authorization: Bearer oauth token here and I was able to get authenticated. Before using the OAuth token, I was simply getting: "status": "UNAUTHENTICATED". My question is: where can I go from here? I’m pretty sure I’m onto something here. I’m trying to see what information I can gather with API calls, but is what I found enough to file a report? Very new to API’s, but I’m happy with the little progress I found, even if this isn’t a valid bug just yet, at least I’m learning!

1 Like