There are plenty of secrets to find online, if you know where to look. Since fall 2021, independent security researcher Bill Demirkapi has been building a way to find a plethora of security issues by leveraging vast sources of data that researchers often overlook. This includes automatically finding developer secrets like passwords, API keys, and authentication tokens that could give cybercriminals the ability to access corporate systems and steal data.
Demirkapi presented the results of his research today at the Defcon security conference in Las Vegas, detailing the massive amount of exposed sensitive information and website vulnerabilities. Among at least 15,000 developer credentials hardcoded into the software were hundreds of username and password details linked to the Nebraska Supreme Court and its IT systems, details needed to access Stanford University’s Slack channel, and more than 1,000 API keys belonging to OpenAI customers.
Thousands of organizations, including major smartphone makers, fintech clients, and multi-billion-dollar cybersecurity firms, have inadvertently given away secrets. In an effort to stem the tide, Demirkapi has devised a way to automatically revoke the secrets, rendering them useless to hackers.
In the second phase of his research, Demirkapi scanned data sources and found 66,000 websites with dangling subdomains that make them vulnerable to various attacks, including hijacking. Some of the world’s largest websites were vulnerable, including a development domain owned by The New York Times.
The two security issues Demirkapi looked at are well known among researchers, but by turning to unconventional datasets typically set aside for other purposes, he said they were able to identify thousands of issues collectively that could be expanded to help secure the entire web. “The goal was to find a way to discover trivial vulnerability classes at scale,” Demirkapi told WIRED. “I think there’s room for creative solutions.”
Leaked secrets, vulnerable websites
It’s relatively common for developers to accidentally include their company’s secrets in their software and code. Alon Schindel, vice president of AI and threat research at cloud security company Wiz, says there are a wide variety of secrets that developers can accidentally hard-code or expose throughout the software development pipeline. These include passwords, encryption keys, API access tokens, cloud provider secrets, TLS certificates, and more.
“The most serious risk of leaving secrets hard-coded is that if digital authentication credentials and secrets are leaked, an adversary could gain unauthorized access to a company’s codebase, databases, and other sensitive digital infrastructure,” Shindell says.
The risks are high: leaked secrets could lead to data leaks, network intrusions by hackers, and supply chain attacks, Shindell adds. A previous study in 2019 found that thousands of secrets are leaked on GitHub every day. And while various secrets scanning tools exist, these are mostly focused on specific targets and not the entire web, Demirkapi says.
During his research, Demirkapi, who rose to fame five years ago as a teenager for hacking at school, didn’t pick a company and search for its secrets, but instead looked for private keys on a mass scale. To do so, he used VirusTotal, a Google-owned website where developers can upload files, such as apps, to be scanned for potential malware.
