Does API access token that only have access to public information need to be kept secret?
I found a Instagram Basic Display API access token leaked in a website. This token belongs to a Instagram marketing account of this website. Using my leet investigating skill, below are the information i have.
- This token has 3 months valid period
- This token is in use (i see it's refreshed last week when its valid period is going to end), although i cannot find where it is used
- This token is an User Access Token for querying data from Basic Display API. Doc here: https://developers.facebook.com/docs/instagram-basic-display-api
- This access token only has read access to public information
- This token will be temporarily rate limited if using too much
Do you know of any impact i can do with this access token other than rate limiting it?
Also, if this token needs to be kept secret, how can we protect it?
Your question is very specific to the usage of 'Instagram Basic Display API(Long live access token)' which is not just limited to display/access public information of a profile.
You can perform Refresh Access Tokens everyday which leads to DOS attack. (User node and Media node can be accessed only with latest access token). Exceeding Rate limit also leads to DOS attack. You can control entire account if you can get Graph API token
Irrespective of it's usage, every API access token to be protected and how to protect is depend on your application architecture. There are many articles listing best practices. Reference-01 Reference-02 Reference-03