Pusher Secret
Service Name: Pusher
Service Description: Pusher is a hosted service that provides real-time bidirectional functionality via WebSockets to web and mobile applications. It allows developers to add real-time features like notifications, chat, collaboration features, and more to their applications.
Service Address: https://pusher.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the application level through Pusher's dashboard
Secret Access Scope: Grants access to publish and subscribe to channels, trigger events, and manage Pusher application settings. The secret key should only be used server-side as it provides full access to your Pusher application.
Secret Revokement URL: https://dashboard.pusher.com/accounts/sign_in (After signing in, navigate to your app, then App Settings > App Keys to regenerate keys)
Secret Example: 7ad3773142a6692b25b8
Suspicious Activity Investigation Instructions:
- Review Pusher dashboard logs for unusual connection patterns or event triggers
- Check for unexpected spikes in message volume or connection counts
- Monitor for unauthorized channels being created or accessed
- Review application logs for API calls to Pusher that weren't initiated by your application
- Examine event history for messages that don't match your application's expected patterns
Mitigation Instructions:
- Log in to the Pusher dashboard at https://dashboard.pusher.com/
- Navigate to the affected application
- Go to App Settings > App Keys
- Click on Regenerate next to the compromised key
- Update the key in all legitimate application instances
- Review and update your application's security practices to prevent future exposures
- Consider implementing channel authorization to restrict access to sensitive channels
- Update any webhooks or backend services that use the Pusher API