Clearly, developers will have a lot on their plates – security researchers from Stanford University analyzed 10 million websites and found almost 2,000 API credentials across 10,000 of them. The keys are valid and provide access to services such as AWS, GitHub, and OpenAI.

Application programming interfaces (APIs) have become a central part of the modern IT environment, allowing developers to enrich the functionality of applications and interact with third-party services such as cloud and payment providers.

What’s important is the fact that this interaction often occurs through authentication mechanisms that rely on sensitive credentials, such as API keys and tokens that require secure handling.

“Exposure of these credentials can pose significant consequences to organizations, as malicious attackers can gain access to related services,” states a preprint paper titled “Keys on Doormats: Exposed API Credentials on the Web.”

“Previous studies have shown exposure of these sensitive credentials in different environments, such as cloud platforms and GitHub. However, the web remains unexplored.”

Stanford researchers took on this task and analyzed 10 million webpages, finding thousands of public webpages exposing highly sensitive API credentials that belong to critical services.

According to Nurullah Demir, a PhD candidate at Stanford and corresponding author of the study, API credentials are even more dangerous than exposed login details because they provide programmatic access to resources.

“You can think of them as usernames and passwords, but they are actually far more dangerous. They must be handled strictly securely, as their exposure directly endangers the organizations and their customers,” Demir told Cybernews in an email.

The exposed credentials were affecting a highly diverse group of organizations, spanning global corporations, critical infrastructure, and government agencies.

The keys belonged to major service providers like AWS, Stripe, GitHub, and OpenAI, so, according to the researchers, the potential damage ranges from large-scale data exfiltration to physical real-world consequences.

One of the affected organizations was a global bank. Another makes firmware for electronic devices, Demir said.

The bank reportedly exposed its cloud credentials directly on its webpages. This gave direct access to multiple core cloud infrastructure services, including databases and key management systems.

The researchers also found repository credentials for a developer responsible for firmware used by various manufacturers of drones and remote-controlled devices. Attackers could use those credentials to modify source code and push malicious firmware updates.

Most of the credentials the researchers found were present in JavaScript resources (84%), followed by HTML (8%) and JSON (7%) files. AWS credentials alone represent more than 16% of all verified exposures.

According to Demir, the team made sure to contact affected organizations and disclose these exposures. Soon, the number of exposed API keys dropped by about 50%.

The researchers are still concerned, though.

“When we got feedback from the developers, we saw that a significant number of them were completely unaware of the exposures. What is perhaps most concerning is that our historical analysis showed these credentials often remain exposed for an average of 12 months, in some cases for years,” they concluded.

---

Unlock more exclusive Cybernews content on YouTube.