Spaces:

Kiki0203
/

langsmith-chatbot

Sleeping

App Files Files Community

Live API key exposed in public Hugging Face Space

by Dante45 - opened 7 days ago

Discussion

Dante45

7 days ago

•

edited 7 days ago

Summary:
A valid, active Groq API key was found hardcoded in a public Hugging Face Space. The key was created on 4/13/2026 and is currently usable.

Steps to Reproduce:

Visit the Space: https://huggingface.co/Kiki0203/langsmith-chatbot
View the file: {.env}
The key appears as: gsk_hRjX... (full key withheld)

Impact:
An attacker could use this key to:

Incur significant API costs on your account
Access any associated data or services
Potentially pivot to internal resources if the key has broad permissions

Recommendation:

Immediately revoke the exposed key via your [provider] dashboard
Use Hugging Face Secrets (environment variables) instead of hardcoding
Rotate any other keys that may share the same pattern

Proof of Concept (Safe):
I validated the key using the provider's free /models endpoint, which confirmed it is active. No paid API calls were made.

Disclosure:
I am a 16yr old security researcher reporting this in good faith. I have not shared or abused this key. I am doing Bug hunting to be able to afford a laptop.

Request:
Does your organization have a bug bounty program? I would like to submit this for consideration, and have a great day.

Upload images, audio, and videos by dragging in the text input, pasting, or clicking here.

Tap or paste here to upload images

· Sign up or log in to comment