Thursday, 14 April 2016 10:23

A call to web services for greater API security


We know plaintext passwords are bad, yet for many a service provider, user API keys are left out in the open. Enough, says this CIO.

Application Programmer Interfaces - or APIs - are big things. This is how a service can allow other services to make use of its features and functions within a different website or program.

It's the magic behind things like IFTTT, otherwise known as "If This Then That" which allows users to effortlessly join disparate web services together. For example, whenever someone tags you in a Facebook photo automatically save it into Dropbox. IFTTT uses the APIs provided by these services to give users the power and flexibility to link actions and activities together.

It's how WordPress used to provide access to the Akismet anti-spam comment plugin.

It's how a plethora of Twitter apps could be created.

So, APIs are a big thing, and a good thing. Yet, I would argue too many web services are taking a gamble with your API keys by displaying them in plaintext, no matter if it is behind a login.

A very simple search "Where do I find my API key" reveals a load of web sites which provide API key facilities to users, including the very screens a user must go to in order to retrieve their forgotten API key.

This list includes WordPress, Campaign Monitor, MailChimp, GetResponse, Stripe, SendGrid and more.

Yet, if a rogue person or application finds your API keys they essentially have the capacity to use these services without restriction, under your account, and using your credit card.

This was the experience of DevFactor founder Andrew Hoffman who published his Amazon S3 keys along with his program code on GitHub.

He realised five minutes later and pulled the keys from public view, but that time was enough for a bot.

By the morning, Hoffman found he had 140 servers running on his AWS account performing Bitcoin mining, with an accompanying Amazon bill of $2,375. That's not the first, and by no means the last, such occurrence of the problem.

However, developers - and worse, service providers - continue making API keys available in plaintext.

Amazon publishes its best practice guidelines for managing keys but the most salient point is that Amazon simply does not display the secret access key to users. If the secret key is lost or forgotten, the user will need to create a new one.

Amazon's stance is the right one. Just as any secure operating system will store encrypted passwords and not provide any way to recover or decrypt the password, so too API keys ought to be treated with this respect and importance.

Just as we ought to be dismayed when a web service offers a 'recover password' facility that sends you a plaintext copy of your password - meaning it is not encrypted on their end - so too we ought to be dismayed when a web service offers a 'here is your API key' page.

Let us begin the push for service providers to put a higher emphasis on security and protecting customer's accounts, facilities and money from misuse.

Read 2496 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


If you're looking at enabling Microsoft Teams for your contact centre, you should bookmark this webinar.

Marketing budgets are now focused on Webinars combined with Lead Generation.

Our panellists from Whangarei District Council (NZ) and Maurice Blackburn Lawyers (Aus) were closely involved in recent projects to enable Microsoft Teams for their own contact centres.

They have kindly agreed to join Enghouse and Microsoft to talk about some of the things they would recommend as most critical for IT and CX professionals planning a Teams Contact Centre migration.

Date: 11 May 2022
Time: 12pm AEST | 2pm NZST | 10am SGT

We look forward to having you join us. Please click the button below to register.



The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

Share News tips for the iTWire Journalists? Your tip will be anonymous