Env file comments getting leaked surprised me

ubershmekel · April 2, 2020, 8:04pm

I often use one secret, then switch it with a different secret. To ease the switching, I comment out one secret and uncomment the other. Turns out that the comment is copied over when remixed. This may have caused my chat bot’s API key to get leaked. I don’t know if anyone remixed my project or not.

In general this statement seems potentially misleading:

You can use the .env file to hide sensitive information like passwords and data.

How can a user discover that comments are leaked before it’s too late?

Perhaps initialize a comment in each .env file stating very clearly in caps like “COMMENTS ARE VISIBLE TO USERS THAT REMIX THIS APP, MAKE SURE THERE ARE NO SECRETS IN YOUR COMMENTS”.

RiversideRocks · April 2, 2020, 8:08pm

Can you link me the project with the api key. (Take out the api key and replace it with random characters). I will remix it to see if I get the comments. You may have seen the comments because you made the project.

potch · April 2, 2020, 8:38pm

@ubershmekel welcome to the forum!

I’m sorry you had that experience. I’ve passed this feedback on to the team and we’re going to make sure starter projects with .env files have a proper warning in them. I hope you were able to replace that API key and were not adversely affected.

ubershmekel · April 2, 2020, 10:39pm

I remixed from incognito mode and saw the comment.

Topic		Replies	Views
Glitch env secrets visible anonymous upon remixing Glitch Help editor	6	561	January 18, 2020
Scrubbed by Glitch 2020-03-26T09:51:49+0000 Glitch Help	2	830	April 15, 2020
Multi-line .env values visible in incognito window Glitch Feedback	3	961	June 2, 2017
Idea: Store number of remixes in .env Glitch Feedback	46	908	May 15, 2020
Might Have a Hacker Glitch Help	6	733	October 11, 2018

Env file comments getting leaked surprised me

Related Topics