Researchers found 1,748 valid API credentials on public websites, including those belonging to major banks and critical infrastructure providers, highlighting the widespread nature of credential exposure.
Security researchers have uncovered a massive trove of exposed API keys across the web, finding nearly 2,000 valid credentials scattered across 10,000 websites in a comprehensive analysis of 10 million webpages.
The study, titled "Keys on Doormats: Exposed API Credentials on the Web," was conducted by researchers from Stanford, UC Davis, and TU Delft who argue that while much attention has focused on credentials in code repositories, the problem extends far beyond source code repositories.
What the researchers discovered
Using a tool called TruffleHog, the team scanned approximately 10 million websites and identified 1,748 valid API credentials belonging to organizations ranging from multinational corporations to government agencies. These credentials provide direct access to critical services including AWS, GitHub, Stripe, and OpenAI.
"What we found were highly sensitive API credentials left publicly exposed on public webpages," said Nurullah Demir, a PhD candidate at Stanford and corresponding author of the study. "These act as access tokens that authorize applications to interact with third-party services, granting direct access to critical infrastructure like cloud platforms and payment providers."
The researchers found that API credentials pose an even greater risk than exposed login credentials because they provide programmatic access to resources rather than just human authentication.
Critical infrastructure and financial institutions affected
Among the most concerning findings was that a "Global Systemically Important Financial Institution" had exposed its cloud credentials directly on its webpages. This exposure granted direct access to multiple core cloud infrastructure services, including databases and key management systems.
Another affected organization develops firmware for electronic devices. The researchers discovered repository credentials for a developer responsible for firmware used by various manufacturers of drones and remote-controlled devices. Attackers could potentially use those credentials to modify source code and push malicious firmware updates to various devices.
Distribution and types of exposed credentials
The study found that exposure is widespread across service categories, with cloud services (e.g., AWS, Cloudflare) and payment services (e.g., Stripe, Razorpay) accounting for the majority of verified credentials. AWS credentials alone represent more than 16 percent of all verified exposures and were found on over 4,693 websites.
Email and communication services such as SendGrid and Twilio also appeared frequently, with a significant portion of their exposures originating from embedded third-party resources.
Most of the credentials were found in JavaScript resources (84 percent), followed by HTML (eight percent) and JSON (seven percent) files. The researchers even found unusual cases like a verified GitHub access token embedded in a CSS file. In JavaScript files, 62 percent of credential exposures showed up in bundles created by build tools like Webpack.
The scope of the problem
When the researchers began contacting affected organizations, they saw a significant reduction in exposed credentials, with the number declining by half in about two weeks. However, their historical analysis revealed a troubling pattern: these credentials often remain exposed for an average of 12 months, with some cases lasting for years.
"When we got feedback from the developers, we saw that a significant number of them were completely unaware of the exposures," Demir explained. This suggests that many organizations lack proper monitoring for credential exposure on their public-facing websites.
Why this matters
The findings highlight a critical gap in cybersecurity practices. While many organizations have processes to detect exposed credentials in code repositories, they may not be scanning their production websites for similar vulnerabilities. The researchers only verified credentials for 14 different service providers, meaning the actual number of exposed credentials across the web is likely much higher than what they captured in this study.
API keys provide attackers with direct, programmatic access to cloud infrastructure, payment processing systems, and other critical services. Unlike passwords that typically require human interaction, API keys can be used to automate attacks at scale, making them particularly dangerous when exposed.
Recommendations for organizations
The researchers' findings underscore the need for comprehensive credential management practices that extend beyond source code repositories. Organizations should implement regular scanning of their public-facing websites for exposed credentials, establish processes for quickly revoking compromised keys, and ensure that development and deployment practices don't inadvertently expose sensitive credentials in production environments.
As more services move to API-based architectures, the importance of securing these credentials becomes increasingly critical. The widespread nature of the exposures found in this study suggests that credential management remains a significant challenge for organizations of all sizes, from startups to global financial institutions.
The research serves as a wake-up call for organizations to expand their security scanning beyond traditional code repositories and implement comprehensive monitoring of all public-facing assets for credential exposure.
Comments
Please log in or register to join the discussion