An API key is essentially a password that grants you access to the functionalities of an API. For example, a Twilio API key allows you to send SMS messages, a Firebase API key provides access to the database, and a Stripe API key gives access to financial accounts.
To store API keys, most developers use .env files, which link environment variables to API keys. When accessing an API key, the server reads the associated environment variables.
Typically, .env files are not meant to be publicly visible. However, if a developer pushes a project to a public Git repository without removing this file, it exposes the API keys to everyone.
Because services require API keys to be stored in specific environment variables, we can search for these environment variables to find potentially leaked API keys.
To demonstrate this type of attack, I created a tool that searches for API keys from environment variables using the GitHub API. This tool, called Lock-Picker, first generates numerous search queries related to the environment variable you specify and then extracts API keys from the search results.