Description
PubNub issues a secret key (`sec-c-` prefix) alongside publish and subscribe keys when Access Manager (PAM) is enabled. The secret key is used to sign API requests that grant or revoke channel access permissions. It is a high-value credential. Possession of the secret key allows full control over who can read or write to any channel on the account. TruffleHog currently detects PubNubPublishKey and PubNubSubscriptionKey but not the secret key.
Preferred Solution
Add a new `PubNubSecretKey` detector that matches the sec+pub+sub key triple and verifies credentials using the PAM v2 HMAC-SHA256 signed grant endpoint.
References
https://www.pubnub.com/docs/general/security/access-control
Description
PubNub issues a secret key (`sec-c-` prefix) alongside publish and subscribe keys when Access Manager (PAM) is enabled. The secret key is used to sign API requests that grant or revoke channel access permissions. It is a high-value credential. Possession of the secret key allows full control over who can read or write to any channel on the account. TruffleHog currently detects PubNubPublishKey and PubNubSubscriptionKey but not the secret key.
Preferred Solution
Add a new `PubNubSecretKey` detector that matches the sec+pub+sub key triple and verifies credentials using the PAM v2 HMAC-SHA256 signed grant endpoint.
References
https://www.pubnub.com/docs/general/security/access-control