iViewed your API keys

Broader context: iView (from the ABC in Australia, a publicly funded broadcaster) was pretty much first to market here for streaming TV, and view on demand.<p>The other stations have all since caught up, but ABC have a tremendous amount of quality children&#x27;s content so it&#x27;s a very popular service with families.<p>However, the current government is not a fan of funding the ABC and as such they&#x27;ve been operating with a very tight and reducing budget for most of the last decade. The edges of their products including interactive news pieces and election&#x2F;pandemic coverage (and some of these API key issues) are a bit rough but the overall achievement is excellent.

I&#x27;d be careful about posting stuff like this as a young person in Australia. The modern situation is incredibly hostile towards this sort of disclosure. Especially regarding a government entity.<p>It&#x27;s not that you&#x27;ve done anything in the slightest bit wrong. It&#x27;s that others with power can easily make it become wrong with little to no backlash in the current Australian climate.<p>I understand the desire for recognition, but certainly think twice and at the very least wait until after election season is over in June so tech-illiterate political opportunists don&#x27;t pounce to martyr you for their own gain.<p>Would suggest looking into the fall of someone widely recognised like Dr Vanessa Teague, a professor who pointed out government failures in e-voting and claimed health anonymization measures to make up your own mind. One government department finally had enough and she was out, I&#x27;m sure it&#x27;s a lot cheaper than actually fixing the problems raised.<p>Behind the laid back &quot;beers and beaches&quot; mirage, Australia is an authoritarian country with huge public support for iron fists, this is clear to many.

To be fair, I think a lot of developers begin with that. There is a logistical problem in providing secrets to a process without getting the secret exposed. Environment variables are an often chosen approach. Of course when the software is tested and ready to be deployed, the step to use a secure container containing credentials is often neglected like it was probably done here. This isn&#x27;t necessarily sloppy programming, it is just skipping an essential step.<p>How do you provide your secrets to your apps? Using an external service? That would still require another set of credentials. Using environment variables? A file only the user running the app has access too? Another way?

Given it&#x27;s Australia how long until ABC claim to have been &quot;the victim of a sophisticated hack&quot; and get the author arrested

I&#x27;m not sure how bad this actually is. I haven&#x27;t examined all the env variables exposed, but it&#x27;s fairly common to expose public-facing api keys for services that require client-side communication with a 3rd party API. E.g. for client-side bug tracking, search etc.

I&#x27;m not a web developer but this stuff, from the outside looking in, is reason enough for me to avoid. Obviously I&#x27;m no expert but this sort of stuff happens enough that I wouldn&#x27;t even know where to start to learn this stuff properly.

*.id.au is an interesting domain that I haven’t seen before. Apparently you can get an id.au iff you’re an Australian citizen, and it must approximately match your real name.

The Algolia side is required and expected, no? I know you can hide said details to be even safer, but it&#x27;s expected to have the API public tokens available to the client so they can use the API from your site. The keys shouldn&#x27;t work on other sites since the API will whitelist your application URL, so stealing them is pointless.

You can easily see 5 environment variables ending in &quot;_KEY&quot; stored in &quot;window.__INITIAL_STATE__&quot;... crazy this got into production...<p>view-source here -&gt; <a href="https:&#x2F;&#x2F;iview.abc.net.au&#x2F;" rel="nofollow">https:&#x2F;&#x2F;iview.abc.net.au&#x2F;</a>

The ABC is underfunded and under attack from the government.<p>Even if they do have software issues I wouldn&#x27;t be publicly running attacks against them cause it would just give the government more reason to cut their funding more.<p>Likely the developers at the ABC are doing the best they can with the limited resources they have, and deserve our support rather than doing the Internet mob attack thing.

I wouldn&#x27;t be surprised if there&#x27;s a significant number of small or large deployments out there that use a nodejs build such as webpack, that has pulled in some kind of JSON configuration file with prod keys exposed hidden in those huge bundles.

Also, almost every Android app in Google Play has all the Firebase API keys exposed in their manifests, and it&#x27;s really easy to retrieve them from APK&#x2F;AAB&#x27;s.

Agile did not save their asses. Sprint planning, grooming, modern frameworks, all the trappings of modernity but crucially no one present to say &quot;secret key in frontend is a no-no&quot;