API Key Exposure

Category: Data Exfiltration & Credential Theft
Severity: High
MITRE ATT&CK Mapping: T1552 (Unsecured Credentials)

Description

Accidental or malicious exposure of API keys and secrets through MCP configurations, logs, or other storage mechanisms, enabling unauthorized access to protected services and APIs.

Technical Details

Attack Vector

• API key exposure in configuration files
• Secrets in application logs
• Credential leakage through error messages
• Unsecured credential storage

Common Techniques

• Configuration file analysis
• Log file harvesting
• Error message extraction
• Memory dumps analysis

Impact

• API Abuse: Unauthorized access to external APIs
• Service Compromise: Access to protected services
• Cost Implications: Unauthorized API usage charges
• Data Access: Access to API-protected data

Detection Methods

Credential Scanning

• Scan configuration files for API keys
• Monitor log files for credential exposure
• Detect credential patterns in code
• Analyze error messages for secrets

Access Monitoring

• Monitor API key usage patterns
• Track unusual API access
• Detect API abuse patterns
• Monitor service access

Mitigation Strategies

Credential Management

• Use secure credential storage
• Implement credential rotation
• Deploy secret management systems
• Monitor credential exposure

Configuration Security

• Secure configuration files
• Use environment variables
• Implement configuration encryption
• Monitor configuration access

Real-World Examples

Example 1: Configuration File Exposure

{
  "database": {
    "url": "postgresql://user:password@localhost/db"
  },
  "api_keys": {
    "openai": "sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "aws": "AKIAXXXXXXXXXXXXXXXX"
  }
}

Example 2: Log File Credential Leakage

2024-01-15 10:30:15 INFO: Connecting to API with key: sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2024-01-15 10:30:16 ERROR: Authentication failed for user: admin, password: secretpassword123

Example 3: Error Message Exposure

def connect_to_api():
    api_key = "sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    try:
        return api_client.connect(api_key)
    except Exception as e:
        # Credential leaked in error message
        raise Exception(f"API connection failed with key {api_key}: {str(e)}")

References & Sources

• Prompt Security - “Top 10 MCP Security Risks You Need to Know”
• Red Hat - “Model Context Protocol (MCP): Understanding security risks and controls”
• Strobes Security - “MCP and Its Critical Vulnerabilities”

Related TTPs

• Credential Exfiltration
• Token Theft/Overreach
• Insufficient Logging

---

API key exposure represents a common but critical vulnerability that can lead to widespread service compromise and unauthorized access.