A sweeping analysis of 10 million websites has uncovered nearly 2,000 exposed API credentials across 10,000 webpages, raising concerns about the vulnerability of critical online infrastructure. The research, conducted by a team from Stanford University, UC Davis, and TU Delft, highlights a significant and often overlooked security risk: the accidental public exposure of keys that grant direct access to cloud platforms, payment processors, and other essential services.
Even as much of the focus in cybersecurity has been on identifying exposed credentials within code repositories, this study demonstrates the prevalence of these vulnerabilities in live, publicly accessible websites. Researchers argue that actively scanning production environments is crucial to understanding the true scope of the problem. The findings, detailed in a preprint paper titled “Keys on Doormats: Exposed API Credentials on the Web,” suggest that the number of compromised keys is likely far greater than previously understood.
“What we found were highly sensitive API credentials left publicly exposed on public webpages,” explained Nurullah Demir, a PhD candidate at Stanford and the corresponding author of the study. “These act as access tokens that authorize applications to interact with third-party services, granting direct access to critical infrastructure like cloud platforms and payment providers.” The potential consequences of such exposure range from data breaches and financial loss to disruption of essential services.
The team utilized a tool called TruffleHog to scan the websites, identifying 1,748 valid credentials belonging to a diverse range of organizations, including multinational corporations, entities operating critical infrastructure, and even government agencies. The exposed keys provided access to widely used services such as Amazon Web Services (AWS), GitHub, Stripe, and OpenAI.
The Danger of Programmatic Access
Demir emphasizes that API credentials pose a greater risk than traditional login details. “API credentials provide programmatic access to resources,” he said. “An attacker doesn’t need to impersonate a user; they can directly instruct the system to perform actions.” Which means an attacker with a valid API key could potentially automate malicious activities, such as accessing sensitive data, making unauthorized transactions, or even taking control of critical systems.
The researchers discovered that a “Global Systemically Important Financial Institution” – a designation reserved for financial institutions whose failure could trigger a wider financial crisis – had exposed its cloud credentials directly on its webpages. This exposure granted access to core cloud infrastructure services, including databases and key management systems, according to the study. Another affected organization was identified as a firmware manufacturer for drones and remote-controlled devices, raising the possibility of malicious firmware updates being pushed to vulnerable devices.
Where are the Keys Hiding?
The study revealed that the vast majority of exposed credentials – 84 percent – were found within JavaScript resources. HTML files accounted for eight percent, while JSON files comprised seven percent. Researchers even uncovered a verified GitHub access token embedded within a CSS file, demonstrating the unexpected places where these sensitive keys can be inadvertently exposed.
A significant portion of the credential exposures within JavaScript files – 62 percent – were found in bundles created by build tools like Webpack. This suggests that the process of bundling and minifying code for web deployment can sometimes inadvertently include sensitive credentials. The researchers noted that AWS credentials were the most frequently exposed, appearing on over 4,693 websites and representing more than 16 percent of all verified exposures. Other commonly exposed services included Cloudflare, Stripe, Razorpay, SendGrid, and Twilio.
Rapid Response and Lingering Risks
Following the discovery, the research team proactively contacted the affected organizations to alert them to the exposed credentials. According to Demir, this outreach proved effective, with the number of exposed credentials declining by approximately 50 percent within two weeks. “When we got feedback from the developers, we saw that a significant number of them were completely unaware of the exposures,” he explained.
Still, the researchers also found that exposed credentials often remain publicly available for extended periods. Their historical analysis indicated an average exposure time of 12 months, with some credentials remaining visible for years. This prolonged exposure window significantly increases the risk of exploitation.
Demir cautioned that the 1,748 verified credentials represent a lower bound on the actual number of exposed keys. “We only verified credentials for 14 different service providers,” he said. “We strongly believe that the actual number of exposed credentials across the web is much higher than what we captured in this study.”
What This Means for Organizations
The findings underscore the importance of robust security practices throughout the software development lifecycle. Organizations should implement rigorous code review processes, utilize secret management tools to securely store and manage API keys, and regularly scan their web applications for exposed credentials. Automated scanning tools, like TruffleHog, can assist identify and remediate these vulnerabilities before they are exploited by malicious actors.
The researchers plan to continue their work, expanding the scope of their analysis to include a wider range of service providers and developing more sophisticated techniques for detecting and mitigating credential exposure. The next step, Demir indicated, is to refine their scanning methodology to identify patterns and predict potential exposure points, allowing for proactive security measures.
This research serves as a critical reminder that even seemingly secure systems can be vulnerable to accidental exposure. Ongoing vigilance and proactive security measures are essential to protecting sensitive data and maintaining the integrity of online infrastructure.
Have thoughts on this story? Share your comments below.
