Skip to main content

Frame.io API Token

Frame.io API Tokens are credentials used to authenticate and interact with the Frame.io platform, a popular video collaboration and review tool. These tokens allow applications and users to access Frame.io's API to manage projects, assets, and user permissions. Exposure of these tokens is a significant security concern as it can lead to unauthorized access to sensitive video content, project data, and potentially allow malicious actions within the Frame.io environment.

How Does It Look

Frame.io API Tokens can appear in various contexts, such as:

  • Environment variables:

    export FRAMEIO_API_TOKEN="fr12345exampletoken"

  • Configuration files (JSON):

    {
      "frameio": {
        "apiToken": "fr12345exampletoken"
      }
    }

  • Code snippets:

    const frameio = require('frameio');
    const client = new frameio.Client({ token: 'fr12345exampletoken' });

  • Connection strings:

    frameio://fr12345exampletoken@api.frame.io

Severity

  • 🟠 High

The severity is high because the API token provides access to Frame.io's API, which can include sensitive project data and media assets. The blast radius is significant as it can affect all projects and assets accessible by the token, potentially leading to data leaks or unauthorized modifications.

What Can an Attacker Do?

With immediate access to a valid Frame.io API Token, an attacker can perform several actions:

  • Access and download media assets (if the token has read permissions)
  • Modify or delete projects and assets (if the token has write permissions)
  • Invite or remove collaborators (if the token has user management permissions)
  • Access project metadata and comments (depending on permission scope)

An attacker could escalate their access by leveraging the token to gather more information about the organization’s Frame.io usage, potentially moving laterally to other systems integrated with Frame.io.

Real-World Impact

Exposure of a Frame.io API Token poses a significant business risk, primarily through unauthorized access to sensitive media content and project data.

Potential consequences include:

  • Data Exposure: Unauthorized access to video content and project details (if the token has read access to sensitive data)
  • Financial Loss: Costs associated with data breaches and potential legal actions (if billing/resource creation is permitted)
  • Operational Disruption: Interruption of video production workflows (if the attacker has delete/modify permissions)
  • Reputational Damage: Loss of client trust and brand reputation

In worst-case scenarios, the exposure could lead to cascading effects, such as further breaches in integrated systems or loss of competitive advantage due to leaked content.

Prerequisites for Exploitation

  • Network access requirements: Internet access to Frame.io API endpoints
  • Additional context needed: Knowledge of Frame.io account structure and project IDs
  • Rate limits or restrictions: API rate limits may slow down exploitation but not prevent it

How to Verify If It's Active

To verify if a Frame.io API Token is active, use the following command:

curl -X GET "https://api.frame.io/v2/me" -H "Authorization: Bearer [TOKEN]"

Valid credential response: A successful response will return user information associated with the token.

Invalid/expired credential response: An error message indicating unauthorized access or invalid token.

Detection Patterns

Common Variable Names:

  • FRAMEIO_API_TOKEN
  • FRAMEIO_TOKEN
  • API_TOKEN
  • FRAMEIO_KEY
  • TOKEN
  • FRAMEIO_SECRET

File Locations:

  • .env
  • config.json
  • settings.yaml
  • app-config.js
  • credentials.txt

Regex Pattern:

fr[a-zA-Z0-9]{20,40}

Remediation Steps

  1. Revoke immediately - Go to Frame.io > Developer Settings > API Tokens and delete the compromised token.
  2. Audit access logs - Review Frame.io access logs for unauthorized actions or data access during the exposure window.
  3. Assess blast radius - Identify all projects and assets accessed using the exposed token.
  4. Rotate credential - Generate a new API token in Frame.io with least-privilege permissions.
  5. Update dependent systems - Deploy the new token to all applications and update CI/CD pipelines securely.
  6. Harden access controls - Enable IP allowlisting in Frame.io and enforce two-factor authentication for all users.
  7. Implement secrets management - Migrate credentials to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
  8. Add detection controls - Set up pre-commit hooks and repository scanning to catch credential leaks before they reach production.

Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.

References