API key was exposed - last used field is not being updated and is set to never | OpenAI | Page 1

uneven raptor Nov 5, 2023, 9:07 AM

#

Hey guys! Our API key has been exposed and we've reached our usage limits. API key is stored as an env variable. Our application is hosted on AWS. When we found out about this yesterday, we've generated a new key, increased the limit to test if the problem will appear again. And it appeared. Can you help?

stiff kite Nov 6, 2023, 6:52 AM

#

Hi @uneven raptor this must be an issue with your implementation because OpenAI's key generation is secure, the key won't be exposed unless you expose it yourself or some part of your application code exposes it.

#

Are you making any frontend-bound API calls by any chance? If so, that could be exposing your key

olive wasp Nov 6, 2023, 5:10 PM

#

uneven raptor Hey guys! Our API key has been exposed and we've reached our usage limits. API k...

It could also be that someone has reverse engineered your application

#

This happens all the time

uneven raptor Nov 6, 2023, 5:11 PM

#

But how is it possible to retrive token by reverse engineering?

#

@olive wasp

olive wasp Nov 6, 2023, 5:11 PM

#

uneven raptor But how is it possible to retrive token by reverse engineering?

It isn't

#

But they could be using your token to generate responses using your api

#

Is it a web application that you are hosting?

uneven raptor Nov 6, 2023, 5:12 PM

#

yeah

#

Any solutions on how to protect from such actions?

olive wasp Nov 6, 2023, 5:12 PM

#

Can I maybe see it?

#

So I can see if there are any obvious vulnerabilities

#

And are you just making a web request to your API without any authentication?

stiff kite Nov 6, 2023, 6:20 PM

#

Yeah it would be useful for us to see the implementation so we can spot vulnerabilities

jagged zodiac Nov 6, 2023, 9:50 PM

#

are you checking the env var into github?

#

and is your app in a private repo?

#API key was exposed - last used field is not being updated and is set to never