Readme API Token Scanner

Readme is a platform widely used by developers and organizations to build, manage, and present API documentation. It allows seamless integration of APIs, providing interactive guides and tools for end users. Startups, enterprises, and open-source projects often use Readme to improve developer experience and communication. The service offers features like auto-generated documentation, custom domains, and built-in API key handling. API keys and secrets are often embedded in projects, making documentation platforms potential targets. The system's exposure of sensitive information can lead to unintended data leakage.

Credential Disclosure is a security risk where sensitive tokens, such as API keys or secrets, are inadvertently exposed in public-facing components. In this case, Readme API tokens starting with "rdme_" can be found in HTTP response bodies, posing a risk of unauthorized access. Attackers can exploit these tokens to manipulate documentation, extract sensitive API usage data, or impersonate the service. Disclosure usually happens when sensitive content is embedded into web pages or version control systems without proper sanitation. Exposed credentials weaken the authentication boundaries of services. Such leaks often originate from misconfigurations or overlooked source code.

The vulnerability is triggered through a GET request to the application's base URL, scanning for API tokens matching a specific regular expression pattern. The regex searches for the pattern "rdme_" followed by 70 alphanumeric characters, common to Readme API tokens. The check is performed on the body of the HTTP response to identify exposed tokens. This exposure may happen in documentation pages, demo environments, or misconfigured public instances. The scanner does not interact with authentication mechanisms but performs passive inspection. The detection helps identify weak points in handling secrets within public web pages.

If exploited, malicious actors can gain unauthorized access to Readme accounts or linked API services. Attackers may extract internal documentation, modify public guides, or abuse token permissions. This could lead to data manipulation, internal information leaks, or platform impersonation. Organizations may also suffer reputation damage or service interruptions. A stolen token may grant programmatic access to sensitive components, depending on its permission scope. Immediate rotation and removal of such tokens are essential upon detection.