As reported by The Register, a recent analysis of 10 million websites has uncovered nearly 2,000 API credentials found scattered across 10,000 webpages. Researchers highlight that this exposure method, often overlooked compared to code repositories, poses a direct threat to sensitive infrastructure.The study, detailed in a preprint paper by Standford University, University of California, Davis, and TU Delft researchers, utilized a tool called TruffleHog to scan websites. It identified 1,748 valid credentials for services like AWS, GitHub, and Stripe, belonging to multinational corporations, critical infrastructure entities, and government agencies. These credentials, acting as access tokens, grant programmatic access to cloud platforms, payment providers, and even firmware repositories.One notable finding involved a global bank exposing cloud credentials directly on its webpages, granting access to core infrastructure. Another instance revealed repository credentials for firmware used in drones and remote-controlled devices, potentially allowing malicious updates. The majority of these exposures were found in JavaScript files, with AWS credentials representing over 16% of all verified exposures.Source: The Register
Data Security, API security, Identity, Cloud Security

Thousands of API credentials exposed on public websites

(Adobe Stock)

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



