How I Used Free Tools to Resource Jack API Keys

Originally published by Aembit.

Written by Ashur Kanoon, Technical Product Marketing, Aembit.

How much damage could an attacker do with free tools and minimal effort? That’s the question I set out to answer – and the results even surprised me. In less than 10 minutes, I managed to exploit exposed API keys, hijack resources, and prove just how vulnerable organizations can be when basic security measures are overlooked.

“Resource jacking” – for those unfamiliar – is the unauthorized use of an organization’s resources by attackers. This could mean exploiting cloud computing power, running up costs on paid services, using your systems to mine cryptocurrency, or even hijacking your infrastructure to run AI workloads like training machine learning models. The implications are massive: inflated bills, degraded performance, and potential security breaches.

To start my experiment, I searched online for free tools that could help uncover sensitive data like API keys, passwords, or certificates. That’s when I came across TruffleHog. It’s free, easy to install – I had it running on my MacBook in minutes – and comes with plenty of tutorials to guide even a beginner.

Next, I needed access to public repositories. Naturally, I turned to GitHub, which is often an unintended treasure trove of sensitive information.

Was I successful? Absolutely. In no time, I found API keys and certificates and used them to access an API service (HuggingFace). The entire process – from setup to resource jacking – took less than 10 minutes.

While I didn’t steal any data, the exercise demonstrated how easily attackers can exploit exposed keys. Imagine if this API service were tied to a paid account. Attackers could use those credentials to drain your resources and rack up bills – all without you knowing.

This was just an experiment, but the takeaway is real: Publicly exposed API keys are a serious vulnerability. Because if I could do this with free tools and no malicious intent, just imagine what a determined attacker could accomplish.

How Did We Do It?

I started by heading to GitHub to check for any public repositories I could test this against. I noticed the “Trending Repositories” section and decided to run TruffleHog on a few of the more interesting ones.

I got several hits on the fourth repository I tested. The results included a few hundred “unverified” items.

This included a call to HuggingFace using an exposed API key.

It also included a link to the GitHub repository, which revealed exactly which model was being used.

Of course, it wouldn’t work without the Bearer key.

But with a simple copy and paste of the publicly shared API key from the GitHub repository – ta-da, resource jacked.

The above was just my first successful attempt. I stopped there because I’m not a malicious actor – my goal was simply to prove how easy this is to pull off.

Disclaimer

This experiment was conducted solely for educational and awareness purposes to demonstrate the ease with which attackers can exploit exposed API keys and other vulnerabilities. No unauthorized access or harm was caused during this process, and all actions were carried out ethically and responsibly. Prior to posting this blog post, Aembit reached out to the repository owner who ensured Aembit that the code and API key were not used in production. Aembit does not condone or encourage illegal activity. Always ensure you have proper authorization before testing systems or accessing resources.

About the Author

Ashur Kanoon is the technical product marketing guy at Aembit. He started off as a software engineer at Cisco working on Y2K (remember that). He takes what excited (and highly caffeinated) engineers build and makes sure that business and technical buyers know why to partner with us.