Back

Exposed API Credentials Found on Thousands of Websites

Severity: High (Score: 64.5)

Sources: Theregister

Summary

A study analyzing 10 million websites has uncovered nearly 2,000 exposed API credentials across 10,000 webpages. Researchers from Stanford, led by Nurullah Demir, utilized the tool TruffleHog to identify 1,748 valid credentials belonging to various organizations, including multinational corporations and government agencies. The exposed API keys grant access to critical services such as AWS, GitHub, and payment platforms like Stripe. Notably, a global bank's cloud credentials were found publicly accessible, posing significant security risks. The findings indicate that 84% of the exposed credentials were located in JavaScript files, with many appearing in bundles created by build tools. This research highlights the need for dynamic analysis of production websites to address the issue of exposed credentials effectively. Key Points: • Nearly 2,000 API credentials were found exposed on 10,000 webpages. • The analysis revealed that 84% of exposed credentials were in JavaScript files. • A global bank's cloud credentials were among the sensitive information discovered.

Key Entities

  • Data Breach (attack_type)
  • Financial (industry)
  • Government (industry)
  • AWS (company)
  • Cloudflare (company)
  • OpenAI (company)
  • Twilio (company)
  • GitHub (platform)
  • Stripe (platform)
  • SendGrid (tool)
  • TruffleHog (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed