API Keys Exposed - Researchers Discover Major Breach
Basically, researchers found a lot of sensitive keys online that can let hackers access important services.
Researchers found nearly 2,000 exposed API keys on thousands of websites. This puts sensitive data at risk, affecting major corporations and government agencies. Immediate action is crucial to secure these credentials and prevent potential breaches.
What Happened
Researchers conducted a thorough analysis of 10 million websites and uncovered nearly 2,000 exposed API credentials on over 10,000 webpages. This alarming discovery highlights a significant security oversight, as many organizations have inadvertently left sensitive information accessible to anyone on the internet. The study, titled "Keys on Doormats: Exposed API Credentials on the Web," emphasizes the need for dynamic analysis of websites, rather than just focusing on code repositories.
The researchers, led by Nurullah Demir from Stanford, used a tool called TruffleHog to scan for these credentials. They found that these API keys act as access tokens, allowing applications to interact with third-party services. This means that exposed API keys can grant unauthorized access to critical infrastructure, including cloud platforms and payment services.
Who's Affected
The findings revealed that the exposed API keys belonged to various organizations, including multinational corporations, government agencies, and a global bank. One particularly concerning case involved a major financial institution that had exposed its cloud credentials directly on its public webpages. This oversight could potentially allow attackers to access sensitive databases and key management systems.
Additionally, the researchers found credentials for a developer responsible for firmware used in drones and remote-controlled devices. If exploited, attackers could modify source code and deploy malicious firmware updates, posing a significant risk to users of these devices.
What Data Was Exposed
The analysis revealed that cloud services like AWS and payment services such as Stripe accounted for the majority of the exposed credentials. Specifically, AWS credentials represented over 16% of all verified exposures, found on 4,693 websites. Other frequently exposed services included SendGrid and Twilio, often due to embedded third-party resources.
Most of the exposed credentials were located in JavaScript files (84%), with a smaller percentage found in HTML (8%) and JSON (7%). Some unusual cases even included a verified GitHub access token embedded in a CSS file, showcasing the varied ways sensitive information can be mishandled.
What You Should Do
Organizations must take immediate action to address these vulnerabilities. The researchers reported that after notifying affected organizations, the number of exposed credentials dropped by half within two weeks. This indicates that many developers were previously unaware of the exposures.
To protect against such vulnerabilities:
- Regularly audit your code and public resources for exposed credentials.
- Implement best practices for API key management, including using environment variables and secret management tools.
- Educate your development teams on the importance of securing sensitive information.
The historical analysis showed that exposed credentials often remain accessible for an average of 12 months, with some lasting for years. Therefore, it is crucial for organizations to remain vigilant and proactive in securing their API keys and other sensitive information.
The Register Security