Security credentials inadvertently leaked on thousands of websites

Critical security credentials are inadvertently being exposed on thousands of websites – including those run by some banks and healthcare providers.

The leaked details could have given snoopers access to sensitive data like RSA private keys, which allow attackers to impersonate servers, decrypt private communications or gain full administrative control of a company’s digital infrastructure. “This is a very significant issue, and it doesn’t affect only small companies, but some very big companies,” says Nurullah Demir at Stanford University in California.

Demir and his colleagues analysed 10 million web pages to uncover how many leaked application programming interface (API) credentials. API keys allow different software systems to seamlessly communicate, acting as access tokens for cloud platforms, payment processors and messaging services.

By scanning the web, the researchers identified 1748 verified, active credentials from 14 major service providers – including Amazon Web Services, Stripe, GitHub and OpenAI – scattered across nearly 10,000 websites.

The vulnerability isn’t the fault of those companies, but of the software developers and website operators who used their services to build and run websites. While the researchers didn’t directly name the companies affected, they did disclose that they include a “global systematically important financial institution”, a “firmware developer” and a “major hosting platform”.

“We notified all the companies which we have identified an exposure for,” says Demir. Within two weeks, about 50 per cent of the organisations removed the exposed API keys, but some of them didn’t respond, he says.

The exposed credentials remained publicly accessible for an average of 12 months, with some online for as long as five years. The majority of those credentials exposed – some 84 per cent of those found – were discovered within JavaScript environments, something the researchers believe may be a consequence of software developers using bundler tools to package their code in a way that can be used online.

Another 16 per cent of the exposed credentials stemmed from third-party resources, meaning a poorly configured external plug-in or script could broadcast an organisation’s sensitive keys across the internet.

“None of these developers intended to be insecure; many of them didn’t even actually make a mistake in the first place,” says Katie Paxton-Fear at Manchester Metropolitan University, UK. The API keys were instead made public because of programming quirks associated with how the language works and runs on the server. “They did everything right and it went into the machine that is their development pipeline and it was revealed,” she says.

Leaked API keys and credentials are “a real issue in modern software development”, says Nick Nikiforakis at Stony Brook University, New York. “API keys act in lieu of credentials and they allow whoever has them to act as an authorised user on a given service.” The problem is that sometimes those can be misconfigured and end up being inadvertently shared publicly – with catastrophic consequences. “Accidentally revealing an API key to the public allows attackers who find it to abuse it,” says Nikiforakis.

Tackling the problem is a shared responsibility, says Demir. “Developers, of course, have to [take] care when they use these API credentials,” he says, making sure they configure development environments in the right way. The creators of website-building tools need to design their software so that secret keys are hidden automatically by default, rather than relying on developers to manually secure them, he adds, and the companies hosting these websites should actively scan for leaked keys and deactivate them immediately.