Secret leaks often occur when a sensitive piece of authentication data is stored with the source code of an application. Considering the source
code is intended to be deployed across multiple assets, including source code repositories or application hosting servers, the secrets might get
exposed to an unintended audience.
Why is this an issue?
In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment.
Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated
services or resources.
The trust issue can be more or less severe depending on the people’s role and entitlement.
What is the potential impact?
The Spotify API secret is a confidential key used for authentication and authorization purposes when accessing the Spotify API.
The Spotify API grants applications access to Spotify’s services and, by extension, user data. Should this secret fall into the wrong hands, two
immediate concerns arise: unauthorized access to user data and data manipulation.
When unauthorized entities obtain the API secret, they have potential access to users' personal Spotify information. This includes the details of
their playlists, saved tracks, and listening history. Such exposure might not only breach personal boundaries but also infringe upon privacy standards
set by platforms and regulators.
In addition to simply gaining access, there is the risk of data manipulation. If malicious individuals obtain the secret, they could tamper with
user content on Spotify. This includes modifying playlists, deleting beloved tracks, or even adding unsolicited ones. Such actions not only disrupt
the user experience but also violate the trust that users have in both Spotify and third-party applications connected to it.
How to fix it
Revoke the secret
Revoke any leaked secrets and remove them from the application source code.
Before revoking the secret, ensure that no other applications or processes are using it. Other usages of the secret will also be impacted when the
secret is revoked.
Use a secret vault
A secret vault should be used to generate and store the new secret. This will ensure the secret’s security and prevent any further unexpected
disclosure.
Depending on the development platform and the leaked secret type, multiple solutions are currently available.
Code examples
Noncompliant code example
props.set("spotify_secret", "f3fbd32510154334aaf0394aca3ac4c3")
Compliant solution
props.set("spotify_secret", System.getenv("SPOTIFY_SECRET"))
Resources
Standards
