Let's say I make a go program where in the source code I create a string variable with a hard-coded value that contains an API token, then I build the program, transfer it to another remote machine, then run the binary on that machine.
Is it possible to retrieve the API token from the binary content ? or even from inspecting the process at runtime ?
Let's use this modern basic example with standard Go tools:
import "golang.org/x/oauth2"
//[...]
ts := oauth2.StaticTokenSource(&oauth2.Token{AccessToken: "<my_API_token>"})
client := NewClient(oauth2.NoContext, ts)
Can this code leak the token from its resulting compiled binary ?
Yes. Type strings <program>
and that will in most cases be enough to spit it out.