Researchers have identified a significant number of exposed API credentials on the internet, highlighting a critical security issue for many organizations. An analysis of 10 million websites revealed almost 2,000 API keys scattered across 10,000 webpages.
Study Overview
The findings were published in a preprint paper titled “Keys on Doormats: Exposed API Credentials on the Web.” The researchers, led by Nurullah Demir, a PhD candidate at Stanford, aimed to broaden the understanding of exposed credentials beyond traditional code repositories. They emphasized the importance of analyzing production websites to grasp the extent of the problem.
Scope of the Exposure
During their investigation, the team discovered 1,748 valid API credentials belonging to various organizations, including multinational corporations, critical infrastructure entities, and government agencies. These credentials grant access to essential services such as AWS, GitHub, Stripe, and OpenAI. Notably, one affected entity was identified as a global bank, which had its cloud credentials publicly exposed.
Types of Exposed Credentials
The research indicated that the majority of the exposed credentials were related to cloud services, particularly AWS, which accounted for over 16 percent of all verified exposures. Other frequently exposed services included payment platforms like Stripe and communication services such as SendGrid and Twilio. The study found that 84 percent of the exposed credentials were located in JavaScript files, with some even embedded in CSS files.
Response and Ongoing Risks
Following the researchers’ outreach to affected organizations, the number of exposed credentials reportedly decreased by half within two weeks. However, many developers were unaware of these exposures, and historical analysis indicated that such credentials often remain exposed for an average of 12 months, with some persisting for years. The researchers believe that the actual number of exposed credentials is likely much higher than their findings suggest, as they only verified credentials from 14 different service providers.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
