Skip to main content

Runway API Key

Runway API Keys are used to authenticate requests to the Runway platform, which provides tools for managing and deploying machine learning models. These keys grant access to various services within the platform, including model training, deployment, and data management. Exposure of a Runway API Key can lead to unauthorized access to sensitive data and resources, making it a significant security concern.

How Does It Look

Runway API Keys can appear in various contexts, such as:

  • Environment variables:

    export RUNWAY_API_KEY="rk_live_XXXXXXXXXXXXXXXXXXXX"

  • Configuration files (JSON, YAML, .env):

    {
      "apiKey": "rk_live_XXXXXXXXXXXXXXXXXXXX"
    }
    api_key: rk_live_XXXXXXXXXXXXXXXXXXXX

  • Code snippets:

    import runway

    client = runway.Client(api_key="rk_live_XXXXXXXXXXXXXXXXXXXX")

  • Connection strings:

    runway://rk_live_XXXXXXXXXXXXXXXXXXXX@api.runwayml.com

Severity

  • 🔴 Critical

The severity of exposing a Runway API Key is critical because it can provide full access to the Runway account, including the ability to manage models, access sensitive data, and incur costs by deploying resources. The blast radius is significant as it can affect all services and data associated with the account.

What Can an Attacker Do?

With immediate access to a Runway API Key, an attacker can perform several actions that compromise the security and integrity of the account.

Key actions an attacker can perform:

  • Delete or modify models (if the credential has write permissions)
  • Access sensitive data (if the account has access to datasets)
  • Deploy resources for unauthorized purposes (if compute permissions are granted)
  • Incur financial costs (by deploying expensive resources)

An attacker could also escalate their access by exploiting other vulnerabilities within the account or using the compromised key to move laterally to other connected systems.

Real-World Impact

The exposure of a Runway API Key poses significant business risks, including:

Potential consequences include:

  • Data Exposure: Access to proprietary models and datasets (if the credential has read access to sensitive data)
  • Financial Loss: Unauthorized resource deployment leading to increased billing (if billing/resource creation is permitted)
  • Operational Disruption: Interruption of model deployment and management (if the attacker has delete/modify permissions)
  • Reputational Damage: Loss of trust from clients and partners due to data breaches

In the worst-case scenario, the exposure could lead to cascading effects, such as further breaches in connected systems or long-term financial and reputational damage.

Prerequisites for Exploitation

To exploit a Runway API Key, an attacker needs:

  • Network access: Ability to send requests to the Runway API
  • Additional context: Knowledge of the specific API endpoints and account structure
  • No rate limits: Exploitation is easier if there are no strict rate limits or IP restrictions in place

How to Verify If It's Active

To verify if a Runway API Key is active, use the following command:

curl -X GET "https://api.runwayml.com/v1/models" -H "Authorization: Bearer [API_KEY]"

Valid credential response: A successful response will return a list of models associated with the account.

Invalid/expired credential response: An error message indicating unauthorized access or invalid credentials.

Detection Patterns

Common Variable Names:

  • RUNWAY_API_KEY
  • API_KEY
  • RUNWAY_KEY
  • RUNWAY_SECRET
  • RW_API_KEY
  • RW_SECRET

File Locations:

  • .env
  • config.json
  • settings.yaml
  • credentials.py
  • runway_config.yml

Regex Pattern:

rk_live_[A-Za-z0-9]{24}

Remediation Steps

  1. Revoke immediately - Go to Runway Dashboard > API Keys and delete the compromised key.
  2. Audit access logs - Review Runway access logs for unauthorized actions or data access during the exposure window.
  3. Assess blast radius - Identify all systems, applications, and environments that used the exposed credential.
  4. Rotate credential - Generate a new API Key in the Runway Dashboard with least-privilege permissions.
  5. Update dependent systems - Deploy the new credential to all applications and update CI/CD pipelines securely.
  6. Harden access controls - Enable IP allowlisting in Runway and require TLS connections.
  7. Implement secrets management - Migrate credentials to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
  8. Add detection controls - Set up pre-commit hooks and repository scanning to catch credential leaks before they reach production.

Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.

References