Hello all, I am thinking I stumbled upon something very interesting. In a random bucket, I found a javascript file which has a hard-coded API key and OAuth token. I added the header Authorization: Bearer oauth token here and I was able to get authenticated. Before using the OAuth token, I was simply getting: "status": "UNAUTHENTICATED". My question is: where can I go from here? I’m pretty sure I’m onto something here. I’m trying to see what information I can gather with API calls, but is what I found enough to file a report? Very new to API’s, but I’m happy with the little progress I found, even if this isn’t a valid bug just yet, at least I’m learning!
1 Like
Hi @pisteuo,
Hardcoded API keys are enough to submit on their own. However, since you want to escalate the issue, look for some sensitive actions through APIs which you can perform using the same credentials and try to build from there. I hope that helped.
1 Like