Skip to content

Pusher Secret

Service Name: Pusher

Service Description: Pusher is a hosted service that provides real-time bidirectional functionality via WebSockets to web and mobile applications. It allows developers to add real-time features like notifications, chat, collaboration features, and more to their applications.

Service Address: https://pusher.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the application level through Pusher's dashboard

Secret Access Scope: Grants access to publish and subscribe to channels, trigger events, and manage Pusher application settings. The secret key should only be used server-side as it provides full access to your Pusher application.

Secret Revokement URL: https://dashboard.pusher.com/accounts/sign_in (After signing in, navigate to your app, then App Settings > App Keys to regenerate keys)

Secret Example: 7ad3773142a6692b25b8

Suspicious Activity Investigation Instructions:

  • Review Pusher dashboard logs for unusual connection patterns or event triggers
  • Check for unexpected spikes in message volume or connection counts
  • Monitor for unauthorized channels being created or accessed
  • Review application logs for API calls to Pusher that weren't initiated by your application
  • Examine event history for messages that don't match your application's expected patterns

Mitigation Instructions:

  • Log in to the Pusher dashboard at https://dashboard.pusher.com/
  • Navigate to the affected application
  • Go to App Settings > App Keys
  • Click on Regenerate next to the compromised key
  • Update the key in all legitimate application instances
  • Review and update your application's security practices to prevent future exposures
  • Consider implementing channel authorization to restrict access to sensitive channels
  • Update any webhooks or backend services that use the Pusher API