Lesson learned: showed (accidentally) Api key+secret in post

Hi,

@ivan

Since i was notified to be able to be hacked, i learned my lesson and have deleted all my current serversā€¦! Luckily all test / develop purpose ones. But delays developmentā€¦ :frowning:

Accidentally I used a commandline example in a post here to auto updated the Cloud-Functions of a server and in there the API key + secret and server where mentionedā€¦!

The notifier deleted a few servers and removed the cloud-functions of oneā€¦

@Ivan : is there a method / way to reset those API key + secret ā€¦ they are equal for all servers in my account.

If that is not possible have to close my account and create a new oneā€¦ :frowning:

Moralis is Great! But this makes it smallā€¦
Have a nice day !

3 Likes

Hey @CasNWK. hope you are ok.

I think there is no way to reset API key + secret, its created for each server, If you have expose your secret and key to the public, it can happen that someone could use yours for malicious porpuses.

Please share ONLY your email , maybe we could try to change your api + secret from our side, but please keep in mind that those one are secret, you should not expose it to the public.

Carlos Z

after deleting all the servers, if you make a new one will it have new creds?

each server or each account?

OP already showed due remorse:

i just added a test server and it has the same cli creds as the other one. The dashboard creds are different.

2 Moralis feature requests

  1. change the cli creds for each server
  2. add a button to reset them (on each server details page)

Indeed, the CLI creds are the same for all servers (for now), but they should be at least different on the key secret i guess.

I will notify the devs team for this, i think it just make sense for all to do it this way, thanks @gotjoshua.

Carlos Z

2 Likes

i would still like this to be added as a feature request.

this stuff happensā€¦ .env files get committed, creds get postedā€¦ easy clean up is user friendly

most systems that use api keys offer the possibility to instantly revoke and reissue them

1 Like

Hi,

@ivan

Before i posted this message (and earlier) i checked the API key and secret of each server i created in my Moralis account: They are ALL the SAME for all the created serversā€¦!
When i create a new 1st server: again the same.

And normally i know what I share and not have to share or change it so not the (whole) is readable, but this time I copied that command line instruction and pasted it, not checking what is in thereā€¦

So: lesson learned.

And since all the servers have the same key and same secret (for API !) i have deleted all the servers and have none active now.

Waiting for a message it is refreshed for my Moralis account (DM for details).

As earlier mentrioned:

Moralis feature requests
1 change the cli creds for each server
2 add a button to reset them (on each server details page)

Have a nice day.

2 Likes

you cant have an adequate user/passwd implementation that does not enforce some password/secret rotation on regular basis. a minimum of quarterly is a wise policy. but to keep it the same for 10years is a big no no.

Thanks

Cacao

2 Likes