Skip to main content

Apify API Token

An Apify API Token is a credential used to authenticate and authorize access to the Apify platform, which provides tools for web scraping, data extraction, and automation. This token allows users to interact with Apify's API to manage actors, datasets, and other resources. Exposure of an Apify API Token is a significant security concern because it can grant unauthorized access to sensitive data and operations within the Apify environment, potentially leading to data breaches or misuse of resources.

How Does It Look

An Apify API Token can appear in various contexts, such as:

  • Environment variables:

    export APIFY_API_TOKEN="apify_api_token_1234567890abcdef"

  • Configuration files (JSON, YAML, .env):

    {
      "apifyApiToken": "apify_api_token_1234567890abcdef"
    }
    apify_api_token: apify_api_token_1234567890abcdef

  • Code snippets:

    const apifyClient = new ApifyClient({
      token: 'apify_api_token_1234567890abcdef'
    });

  • Connection strings (if applicable): Not typically used in connection strings.

Severity

  • 🟠 High

This severity level is due to the potential access an Apify API Token provides. It can allow an attacker to manage actors, access datasets, and execute tasks, which could lead to unauthorized data extraction or manipulation. The blast radius includes any data or resources accessible via the Apify account associated with the token.

What Can an Attacker Do?

With immediate access to an Apify API Token, an attacker can perform several actions:

An attacker can immediately interact with the Apify API, potentially leading to unauthorized operations.

Key actions an attacker can perform:

  • Delete or modify data (if the token has write permissions)
  • Access sensitive datasets (if the token has read access to datasets)
  • Execute or modify actors (if the token allows actor management)
  • Consume resources (if the token permits task execution, leading to unexpected charges)

An attacker could also use the token to escalate privileges or move laterally within the Apify environment, potentially compromising additional resources or data.

Real-World Impact

Exposure of an Apify API Token poses significant business risks, including:

The primary impact is unauthorized access to data and resources.

Potential consequences include:

  • Data Exposure: Sensitive datasets and extracted data (if the token has read access to sensitive data)
  • Financial Loss: Unexpected charges due to resource consumption (if billing/resource creation is permitted)
  • Operational Disruption: Interruption of automated tasks and workflows (if the attacker has delete/modify permissions)
  • Reputational Damage: Loss of trust and brand impact due to data breaches

In a worst-case scenario, the exposure could lead to cascading effects, such as further data breaches or exploitation of other connected systems.

Prerequisites for Exploitation

To exploit an exposed Apify API Token, an attacker needs:

  • Network access: Ability to send requests to the Apify API
  • Additional context: Knowledge of specific endpoints or account IDs to target
  • Rate limits: Awareness of any rate limits or restrictions that might impede exploitation

How to Verify If It's Active

To verify if an Apify API Token is active, use the following command:

curl -X GET "https://api.apify.com/v2/actor-tasks" -H "Authorization: Bearer [TOKEN]"

Valid credential response: A successful response will return a list of actor tasks associated with the account.

Invalid/expired credential response: An error message indicating unauthorized access or invalid token.

Detection Patterns

Common Variable Names:

  • APIFY_API_TOKEN
  • apifyApiToken
  • apify_token
  • APIFY_TOKEN
  • apiToken
  • apifyKey

File Locations:

  • .env
  • config.json
  • settings.yaml
  • credentials.js
  • app-config.yml

Regex Pattern:

apify[_-]?api[_-]?token['"]?\s*[:=]\s*['"]?[a-zA-Z0-9]{20,40}['"]?

Remediation Steps

  1. Revoke immediately - Go to Apify Console > Account > API Tokens and delete the compromised token.
  2. Audit access logs - Review Apify activity logs for unauthorized actions or data access during the exposure window.
  3. Assess blast radius - Identify all systems, applications, and environments that used the exposed token.
  4. Rotate credential - Generate a new API token in the Apify Console with least-privilege permissions.
  5. Update dependent systems - Deploy the new token to all applications and update CI/CD pipelines securely.
  6. Harden access controls - Enable IP allowlisting in Apify and require additional authentication measures.
  7. Implement secrets management - Migrate tokens to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
  8. Add detection controls - Set up pre-commit hooks and repository scanning to catch token leaks before they reach production.

Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.

References