Exposure of confidential secret or token Segment public API token

Description

The response body contains content that matches the pattern of a Segment Public API token was identified. The Segment Public API is used to manage your Segment workspaces and its resources. Two types of tokens match this pattern, a workspace owner token and a limited role token. In general these tokens allow callers of the API to perform read, write, and delete operations. A malicious actor with access to a workspace owner token can access all workspace data. A limited role token can access the data it was granted access to on creation. Exposing this value could allow attackers to gain access to all resources granted by this token.

Remediation

For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on Credential exposure to the internet.

To rotate a Public API token:

• Sign in to your Segment account and access your workspace from https://app.segment.com/
• From the left-hand menu, select "Settings" and go to "Workspace settings"
• Select the "Access Management" tab in the "Workspace settings" page
• Select the "Tokens" tab under "Access Management"
• Find the key that was identified, and select it
• In the right hand side, select "Edit token" in the "Token Permissions" section
• Select "Remove token" in the upper-right corner
• When prompted, select "Remove Token" in the dialog

For more information, please see Segment's documentation on their public API.

Details

ID	Aggregated	CWE	Type	Risk
798.169	false	798	Passive	High

Links

• CWE