Phishing Api Keys in Feathersjs
How Phishing Api Keys Manifests in Feathersjs
Phishing API keys in Feathersjs applications typically occurs when authentication tokens or API keys are exposed through predictable endpoints, insufficient authorization checks, or improper error handling. This vulnerability allows attackers to harvest valid credentials that can be used to impersonate legitimate users or services.
In Feathersjs, the most common attack vector is through the authentication service's predictable response patterns. When a Feathersjs application uses the default authentication setup, successful login attempts return a complete user object including sensitive fields like id, email, and sometimes custom fields that shouldn't be exposed. If the API key or JWT token is returned in a predictable format without proper rate limiting, attackers can use automated tools to enumerate valid keys.
// Vulnerable Feathersjs authentication service
const { AuthenticationService } = require('@feathersjs/authentication');
class MyAuthService extends AuthenticationService {
async create(data, params) {
const authResult = await super.create(data, params);
// Returns entire user object + token without filtering
return authResult;
}
}Another Feathers-specific manifestation occurs in service hooks where authorization checks are bypassed. Feathersjs uses a powerful hooks system that runs before, after, or around service methods. If a hook that should verify API key ownership is missing or improperly configured, an attacker can access resources belonging to other users through IDOR (Insecure Direct Object Reference) attacks.
// Vulnerable service without proper authorization hook
const users = app.service('users');
users.hooks({
Feathersjs applications are also vulnerable when using the default JSON serializer, which may expose internal fields like _id, createdAt, updatedAt, and authentication-related fields. When combined with insufficient input validation, this can lead to credential harvesting through crafted requests that trigger error messages containing sensitive information.
Feathersjs-Specific Detection
Detecting phishing API key vulnerabilities in Feathersjs requires examining both the application code and runtime behavior. The first step is to audit authentication service configurations and verify that sensitive fields are properly filtered before being sent to clients.
// Detection: Check for exposed sensitive fields
const sensitiveFields = ['password', 'apiKey', 'token', 'secret', 'authData'];
const authService = app.service('authentication');
const authSchema = authService.options.entity || 'user';
const userSchema = app.service(authSchema).options.Model.schema;
// Verify no sensitive fields are in the default select
const defaultSelect = authService.options.select || {};
for (const field of sensitiveFields) {
if (defaultSelect[field] !== 0) {
console.warn(`Sensitive field ${field} may be exposed`);
}
}middleBrick's API security scanner can automatically detect these vulnerabilities in Feathersjs applications by testing unauthenticated endpoints for predictable response patterns and missing authorization checks. The scanner tests for common attack patterns including:
- Authentication endpoint enumeration through timing analysis
- Missing authorization hooks on service methods
- Exposed internal fields in API responses
- Predictable error messages that leak implementation details
- Insufficient rate limiting on authentication endpoints
For Feathersjs applications, middleBrick specifically checks the authentication service configuration and scans for common anti-patterns like returning the entire user object after successful authentication, missing before hooks on sensitive service methods, and improper field selection in database queries.
Runtime detection can also be performed using Feathersjs's built-in hooks system to log and monitor suspicious authentication patterns:
const { authenticate } = require('@feathersjs/authentication').hooks;
const { iff, isProvider, preventChanges } = require('feathers-hooks-common');
const authHooks = {
{
!sensitiveFields.includes(data.field));
Feathersjs-Specific Remediation
Remediating phishing API key vulnerabilities in Feathersjs requires a multi-layered approach focusing on proper authentication configuration, authorization checks, and response filtering. The first step is to implement strict field selection and filtering in your authentication service.
// Secure authentication service with field filtering
const { AuthenticationService } = require('@feathersjs/authentication');
const { disallow, discard } = require('feathers-hooks-common');
class SecureAuthService extends AuthenticationService {
}
// Apply secure hooks to all services
const secureHooks = {
{
{
{
removeFields(item));
{
Implement proper authorization hooks using Feathersjs's built-in capabilities to prevent IDOR attacks:
const { authenticate } = require('@feathersjs/authentication').hooks;
const { iff, isProvider, fastJoin } = require('feathers-hooks-common');
const authorizationHooks = {
{
{
Add rate limiting to authentication endpoints to prevent credential enumeration attacks:
const rateLimit = require('express-rate-limit');
const authRateLimiter = rateLimit({
// Apply to authentication service
app.service('authentication').hooks({
For production deployments, integrate middleBrick's continuous monitoring to automatically scan your Feathersjs APIs for phishing vulnerabilities and other security issues. The Pro plan includes scheduled scans that can detect when new vulnerabilities are introduced during development.