Researchers identified nearly 10,000 websites where API keys could be found, exposing details that could let attackers access sensitive information
Critical security credentials are inadvertently being exposed on thousands of websites – including those run by some banks and healthcare providers. The leaked details could have given snoopers access to sensitive data like RSA private keys, which allow attackers to impersonate servers, decrypt private communications or gain full administrative control of a company’s digital infrastructure.
“This is a very significant issue, and it doesn’t affect only small companies, but some very big companies,” saysDemir and his colleagues analysed 10 million web pages to uncover how many leaked application programming interface credentials. API keys allow different software systems to seamlessly communicate, acting as access tokens for cloud platforms, payment processors and messaging services. By scanning the web, the researchers identified 1748 verified, active credentials from 14 major service providers – including Amazon Web Services, Stripe, GitHub and OpenAI – scattered across nearly 10,000 websites. The vulnerability isn’t the fault of those companies, but of the software developers and website operators who used their services to build and run websites. While the researchers didn’t directly name the companies affected, they did disclose that they include a “global systematically important financial institution”, a “firmware developer” and a “major hosting platform”.“We notified all the companies which we have identified an exposure for,” says Demir. Within two weeks, about 50 per cent of the organisations removed the exposed API keys, but some of them didn’t respond, he says. The exposed credentials remained publicly accessible for an average of 12 months, with some online for as long as five years. The majority of those credentials exposed – some 84 per cent of those found – were discovered within JavaScript environments, something the researchers believe may be a consequence of software developers using bundler tools to package their code in a way that can be used online. Another 16 per cent of the exposed credentials stemmed from third-party resources, meaning a poorly configured external plug-in or script could broadcast an organisation’s sensitive keys across the internet. “None of these developers intended to be insecure; many of them didn’t even actually make a mistake in the first place,” saysat Manchester Metropolitan University, UK. The API keys were instead made public because of programming quirks associated with how the language works and runs on the server. “They did everything right and it went into the machine that is their development pipeline and it was revealed,” she says.at Stony Brook University, New York. “API keys act in lieu of credentials and they allow whoever has them to act as an authorised user on a given service.” The problem is that sometimes those can be misconfigured and end up being inadvertently shared publicly – with catastrophic consequences. “Accidentally revealing an API key to the public allows attackers who find it to abuse it,” says Nikiforakis. Tackling the problem is a shared responsibility, says Demir. “Developers, of course, have to care when they use these API credentials,” he says, making sure they configure development environments in the right way. The creators of website-building tools need to design their software so that secret keys are hidden automatically by default, rather than relying on developers to manually secure them, he adds, and the companies hosting these websites should actively scan for leaked keys and deactivate them immediately.
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Fake Google Security Page Phishing Scam Installs MalwareA sophisticated phishing scam tricks users into installing a malicious web app by impersonating a Google security check, potentially compromising sensitive data and accounts.
Read more »
NYC airport security lines swell as unpaid federal TSA workers call out sick amid ongoing governmentTravelers at New York City airports have been running into long waits at stalled Transportation Security Administration (TSA) screening lines, with fewer
Read more »
Senate Standoff Delays Homeland Security Funding Amid Airport Security ConcernsA Senate vote to fund the Department of Homeland Security failed to advance due to Democratic opposition over immigration enforcement practices. The resulting stalemate threatens airport security, with long lines reported at major airports. Negotiations continue between the White House and lawmakers to reach a resolution, with both sides expressing a willingness to compromise.
Read more »
Bill to fund Homeland Security fails again as concern grows about airport linesSenate Democratic leader Chuck Schumer said he would offer an alternative measure Saturday to fund just the Transportation Security Administration.
Read more »
Trump threatens to use ICE agents for airport security as delays worsen amid DHS shutdownWait times aren't expected to improve until government funding is restored and TSA officers receive paychecks.
Read more »
Roan's Security Incident Sparks Controversy: Clash with Soccer Player's Family and Rio Mayor's InterventionPop star Roan is at the center of a social media storm after an alleged encounter between her security and soccer player Jorginho's family in Sao Paulo. The incident escalated, with reactions from the public, and also from Rio's new mayor Eduardo Cavaliere, who stated that Roan would never perform on Copacabana Beach during his tenure. The exchange has ignited debate about artist-fan relations, security protocols, and cultural implications. Jorginho detailed the encounter where his daughter, excited to see Roan, was allegedly approached aggressively by security personnel. Roan, on Instagram, stated the security was not her personal security and clarified that she did not see the child and the woman. The situation is unfolding against the backdrop of Roan's rising fame and recent Grammy win.
Read more »