Leaked keys could have let attackers take control of a company’s digital infrastructure Vertigo3d/Getty Images
Critical security credentials are inadvertently being exposed on thousands of websites 鈥 including those run by some banks and healthcare providers.
The leaked details could have given snoopers access to sensitive data like RSA private keys, which allow attackers to impersonate servers, decrypt private communications or gain full administrative control of a company’s digital infrastructure. 鈥淭his is a very significant issue, and it doesn鈥檛 affect only small companies, but some very big companies,鈥 says at Stanford University in California.
Demir and his colleagues analysed 10 million web pages to uncover how many leaked application programming interface (API) credentials. API keys allow different software systems to seamlessly communicate, acting as access tokens for cloud platforms, payment processors and messaging services.
By scanning the web, the researchers identified 1748 verified, active credentials from 14 major service providers 鈥 including Amazon Web Services, Stripe, GitHub and OpenAI 鈥 scattered across nearly 10,000 websites.
The vulnerability isn’t the fault of those companies, but of the software developers and website operators who used their services to build and run websites. While the researchers didn’t directly name the companies affected, they did disclose that they include a 鈥済lobal systematically important financial institution鈥, a 鈥渇irmware developer鈥 and a 鈥渕ajor hosting platform鈥.
Free newsletter
Sign up to The Daily
The latest on what鈥檚 new in science and why it matters each day.
鈥淲e notified all the companies which we have identified an exposure for,鈥 says Demir. Within two weeks, about 50 per cent of the organisations removed the exposed API keys, but some of them didn鈥檛 respond, he says.
The exposed credentials remained publicly accessible for an average of 12 months, with some online for as long as five years. The majority of those credentials exposed 鈥 some 84 per cent of those found 鈥 were discovered within JavaScript environments, something the researchers believe may be a consequence of software developers using bundler tools to package their code in a way that can be used online.
Another 16 per cent of the exposed credentials stemmed from third-party resources, meaning a poorly configured external plug-in or script could broadcast an organisation鈥檚 sensitive keys across the internet.
鈥淣one of these developers intended to be insecure; many of them didn’t even actually make a mistake in the first place,鈥 says at Manchester Metropolitan University, UK. The API keys were instead made public because of programming quirks associated with how the language works and runs on the server. 鈥淭hey did everything right and it went into the machine that is their development pipeline and it was revealed,鈥 she says.
Leaked API keys and credentials are 鈥渁 real issue in modern software development鈥, says at Stony Brook University, New York. 鈥淎PI keys act in lieu of credentials and they allow whoever has them to act as an authorised user on a given service.鈥 The problem is that sometimes those can be misconfigured and end up being inadvertently shared publicly 鈥 with catastrophic consequences. 鈥淎ccidentally revealing an API key to the public allows attackers who find it to abuse it,鈥 says Nikiforakis.
Tackling the problem is a shared responsibility, says Demir. 鈥淒evelopers, of course, have to [take] care when they use these API credentials,鈥 he says, making sure they configure development environments in the right way. The creators of website-building tools need to design their software so that secret keys are hidden automatically by default, rather than relying on developers to manually secure them, he adds, and the companies hosting these websites should actively scan for leaked keys and deactivate them immediately.
Reference:
arXiv
Topics:
