Skip to main content

PubNub Keys

PubNub keys are essential credentials used to authenticate and authorize access to the PubNub real-time messaging platform. These keys enable applications to publish and subscribe to data streams, manage channels, and perform other operations within the PubNub ecosystem. Exposure of these keys can lead to unauthorized access to your PubNub account, allowing attackers to intercept messages, manipulate data streams, or incur unexpected costs by abusing the service.

How Does It Look

PubNub keys can appear in various contexts, such as:

  • Environment variables:

    export PUBNUB_PUBLISH_KEY="pub-c-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    export PUBNUB_SUBSCRIBE_KEY="sub-c-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

  • Configuration files (JSON, YAML, .env):

    {
      "publishKey": "pub-c-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "subscribeKey": "sub-c-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    }

  • Code snippets:

    const pubnub = new PubNub({
      publishKey: 'pub-c-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
      subscribeKey: 'sub-c-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
    });

  • Connection strings:

    pubnub://pub-c-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:sub-c-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@pubnub.com

Severity

  • 🟠 High

The severity of exposed PubNub keys is high because they grant access to real-time messaging capabilities, which can be exploited to intercept or manipulate data streams. The blast radius includes unauthorized data access and potential service abuse, leading to financial and operational impacts.

What Can an Attacker Do?

With immediate access to PubNub keys, an attacker can intercept and manipulate real-time data streams, potentially causing significant disruptions.

Key actions an attacker can perform:

  • Intercept messages: Capture sensitive data being transmitted (if the keys have read permissions).
  • Publish unauthorized messages: Send false or misleading information to subscribers (if the keys have write permissions).
  • Manipulate channels: Alter channel configurations or delete channels (if administrative permissions are granted).
  • Incur additional costs: Abuse the service to generate excessive usage charges (if rate limits are not enforced).

An attacker could also use these capabilities to escalate their access or move laterally within the network, potentially compromising other systems or services.

Real-World Impact

Exposure of PubNub keys poses a significant business risk, potentially leading to data breaches and service disruptions.

Potential consequences include:

  • Data Exposure: Interception of sensitive messages (if the keys have read access to confidential data).
  • Financial Loss: Increased service charges due to unauthorized usage (if billing/resource creation is permitted).
  • Operational Disruption: Service outages or data integrity issues (if the attacker has modify permissions).
  • Reputational Damage: Loss of customer trust and brand reputation.

In worst-case scenarios, attackers could leverage exposed keys to orchestrate large-scale disruptions, affecting multiple services and stakeholders.

Prerequisites for Exploitation

  • Network access requirements: Ability to connect to the PubNub service.
  • Additional context needed: Knowledge of specific channels or endpoints.
  • Any rate limits or restrictions they'd face: Potential throttling if rate limits are configured.

How to Verify If It's Active

To verify if a PubNub key is active, use the following command:

curl -X GET "https://ps.pndsn.com/v2/subscribe/[SUBSCRIBE_KEY]/my_channel/0" -H "Authorization: [TOKEN]"

Valid credential response: A successful response will return a JSON object with message data.

Invalid/expired credential response: An error message indicating unauthorized access or invalid credentials.

Detection Patterns

Common Variable Names:

  • PUBNUB_PUBLISH_KEY
  • PUBNUB_SUBSCRIBE_KEY
  • PUBNUB_SECRET_KEY
  • PUBNUB_API_KEY
  • PUBNUB_KEY
  • PUBNUB_TOKEN

File Locations:

  • .env
  • config.json
  • settings.yaml
  • pubnub-config.js
  • application.properties

Regex Pattern:

(pub-c|sub-c|sec-c)-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}

Remediation Steps

  1. Revoke immediately - Go to PubNub Admin Dashboard > Access Manager and revoke the compromised keys.
  2. Audit access logs - Review PubNub access logs for unauthorized message publications or subscriptions during the exposure window.
  3. Assess blast radius - Identify all systems, applications, and environments that used the exposed keys.
  4. Rotate credential - Generate new PubNub keys with least-privilege permissions in the PubNub Admin Dashboard.
  5. Update dependent systems - Deploy the new keys to all applications and update CI/CD pipelines securely.
  6. Harden access controls - Enable IP allowlisting in PubNub and require secure connections.
  7. Implement secrets management - Migrate keys to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
  8. Add detection controls - Set up pre-commit hooks and repository scanning to catch key leaks before they reach production.

Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.

References