Skip to main content

DigitalOcean Refresh Token

A DigitalOcean Refresh Token is a credential used to obtain a new access token without requiring the user to re-authenticate. It is part of the OAuth 2.0 protocol and is used to maintain access to DigitalOcean's API services. Exposure of this token is a significant security concern because it allows an attacker to generate new access tokens, potentially leading to unauthorized access to resources and services within a DigitalOcean account.

How Does It Look

Refresh tokens can appear in various contexts, such as:

  • Environment variables:

    export DO_REFRESH_TOKEN="do_refresh_token_1234567890abcdef"

  • Configuration files (JSON):

    {
      "refresh_token": "do_refresh_token_1234567890abcdef"
    }

  • Code snippets:

    refresh_token = "do_refresh_token_1234567890abcdef"

  • Connection strings:

    refresh_token=do_refresh_token_1234567890abcdef

Severity

  • 🔴 Critical

The severity of a DigitalOcean Refresh Token exposure is critical because it allows an attacker to generate new access tokens, granting them access to the DigitalOcean API. This can lead to unauthorized actions such as creating, modifying, or deleting resources. The blast radius is extensive, as it can affect all resources and services associated with the compromised account.

What Can an Attacker Do?

With immediate access to a valid refresh token, an attacker can generate new access tokens and perform various actions within the DigitalOcean account.

Key actions an attacker can perform:

  • Create or delete resources: Spin up or destroy droplets, databases, and other resources (if the token has write permissions).
  • Access billing information: View or modify billing details (if the account has billing scope enabled).
  • Modify DNS settings: Change DNS records, potentially redirecting traffic (if DNS management permissions are granted).
  • Access sensitive data: Retrieve data from databases or storage (if read access is enabled).

An attacker can also escalate their access by exploring other connected services or accounts, potentially leading to further compromise of the infrastructure.

Real-World Impact

Exposure of a DigitalOcean Refresh Token poses significant business risks, including unauthorized access and control over cloud resources.

Potential consequences include:

  • Data Exposure: Sensitive data stored in databases or volumes (if the credential has read access to sensitive data).
  • Financial Loss: Increased costs due to unauthorized resource creation or usage (if billing/resource creation is permitted).
  • Operational Disruption: Downtime or service interruptions due to resource deletion or modification (if the attacker has delete/modify permissions).
  • Reputational Damage: Loss of customer trust and brand reputation due to data breaches or service disruptions.

In the worst-case scenario, an attacker could gain full control over the cloud environment, leading to cascading effects across all dependent services and applications.

Prerequisites for Exploitation

To exploit a DigitalOcean Refresh Token, an attacker needs:

  • Network access: Ability to interact with the DigitalOcean API.
  • Additional context: Knowledge of the account's API endpoints and potentially other account-specific details.
  • No rate limits: The attacker may face rate limits or restrictions if the account has such controls in place.

How to Verify If It's Active

To verify if a refresh token is active, use the following command to attempt token exchange:

curl -X POST "https://cloud.digitalocean.com/v1/oauth/token" \
     -d "grant_type=refresh_token" \
     -d "refresh_token=[REFRESH_TOKEN]" \
     -d "client_id=[CLIENT_ID]" \
     -d "client_secret=[CLIENT_SECRET]"

Valid credential response: A successful response will include a new access token and its expiration details.

Invalid/expired credential response: An error message indicating the token is invalid or expired.

Detection Patterns

Common Variable Names:

  • DO_REFRESH_TOKEN
  • DIGITALOCEAN_REFRESH_TOKEN
  • REFRESH_TOKEN
  • TOKEN_REFRESH
  • DO_TOKEN
  • DIGITALOCEAN_TOKEN

File Locations:

  • .env
  • config.json
  • settings.yaml
  • credentials.txt
  • secrets.env

Regex Pattern:

do_refresh_token_[a-zA-Z0-9]{16,}

Remediation Steps

  1. Revoke immediately - Go to DigitalOcean Control Panel > API > Tokens/Keys and revoke the compromised refresh token.
  2. Audit access logs - Review DigitalOcean API logs for unauthorized actions or token exchanges during the exposure window.
  3. Assess blast radius - Identify all systems, applications, and environments that used the exposed credential.
  4. Rotate credential - Generate a new refresh token and update all dependent systems with the new token.
  5. Update dependent systems - Deploy the new credential to all applications and update CI/CD pipelines securely.
  6. Harden access controls - Enable IP allowlisting and enforce two-factor authentication for accessing the DigitalOcean account.
  7. Implement secrets management - Migrate credentials to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
  8. Add detection controls - Set up pre-commit hooks and repository scanning to catch credential leaks before they reach production.

Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.

References