Medium
resolved
resolved
Microsoft `x-apikey` Exposed in Mozilla CI Public Logs
Bug reported by Omar was disclosed at November 3, 2025, 10:34 am | Cleartext Storage of Sensitive Information
A Microsoft telemetry API key (x-apikey) was found exposed in publicly accessible Mozilla CI logs. The key appeared in HTTP POST requests sent to Microsoft's telemetry endpoint during automated Firefox testing and was captured via mitmproxy logs. The security impact was considered minimal as the telemetry API key had limited functionality. The report was accepted and a bonus was paid as recognition of the reporter's efforts.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
