Pusher API Key
Service Name: Pusher
Service Description: Pusher is a hosted service that provides real-time WebSocket-based APIs for adding live data and functionality to web and mobile applications. It enables features like live chat, notifications, real-time dashboards, and collaborative editing.
Service Address: https://pusher.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the application level in the Pusher dashboard.
Secret Access Scope: Grants access to publish and subscribe to channels within a specific Pusher application, allowing developers to send real-time messages to connected clients.
Secret Revokement URL: https://dashboard.pusher.com/apps
Secret Example: a1b2c3d4e5f6g7h8i9j0
Suspicious Activity Investigation Instructions:
- Review the Pusher dashboard for unusual traffic patterns or unexpected channel activity.
- Check application logs for unauthorized connection attempts or message publishing.
- Monitor for unexpected spikes in connection counts or message volumes.
- Examine the IP addresses connecting to your Pusher channels for suspicious locations.
- Review your application code for potential exposure of the Pusher key.
Mitigation Instructions:
- Log in to the Pusher dashboard at https://dashboard.pusher.com/.
- Select the affected application.
- Navigate to the App Keys section.
- Regenerate the compromised key by clicking Regenerate next to the appropriate key.
- Update the key in all legitimate application instances.
- Consider implementing channel authentication to restrict access to private channels.
- Review and update your application's security settings, including IP allowlisting if appropriate.
- Ensure your Pusher keys are stored securely and not exposed in client-side code.