Thousands of Websites Expose Critical Security Credentials, Including Banks and Healthcare Providers

Thousands of websites, encompassing institutions as significant as banks and healthcare providers, are inadvertently exposing crucial security credentials. These leaked details could grant unauthorized access to sensitive information, including RSA private keys, enabling attackers to impersonate servers, decrypt private communications, or seize complete administrative control over a company’s digital infrastructure.

Nurullah Demir, a researcher at Stanford University in California, described the situation as “a very significant issue,” noting its impact extends beyond small businesses to encompass major corporations.

Demir and his colleagues conducted an extensive analysis of 10 million web pages, aiming to quantify the extent of leaked application programming interface (API) credentials. API keys function as access tokens, facilitating seamless communication between different software systems and granting entry to cloud platforms, payment processors, and messaging services.

Through web scanning, the research team identified 1,748 verified, active credentials from 14 prominent service providers. These included industry leaders such as Amazon Web Services, Stripe, GitHub, and OpenAI. These credentials were found scattered across nearly 10,000 individual websites.

The underlying vulnerability does not lie with the service providers themselves. Instead, the issue stems from software developers and website operators who integrate these services into their website development and operational processes. While the researchers opted not to name specific affected companies, their disclosure indicated the presence of a “global systematically important financial institution,” a “firmware developer,” and a “major hosting platform” among those compromised.

Demir stated that all identified organisations with exposed credentials were notified. Within a two-week period, approximately 50 percent of these organisations successfully removed the exposed API keys. However, he noted that some organizations did not respond to the notification.

The exposed credentials remained publicly accessible for an average duration of 12 months, with some remaining online for as long as five years. The researchers found that the majority of these exposed credentials, approximately 84 percent, were located within JavaScript environments. They hypothesize this is a consequence of software developers utilizing bundler tools to package their code in a manner suitable for online deployment.

An additional 16 percent of the exposed credentials originated from third-party resources. This suggests that a misconfigured external plug-in or script could potentially broadcast an organization’s sensitive keys across the internet.

Katie Paxton-Fear at Manchester Metropolitan University in the UK commented that “None of these developers intended to be insecure; many of them didn’t even actually make a mistake in the first place.” She explained that API keys were inadvertently made public due to programming quirks inherent in how the language operates and executes on the server. “They did everything right and it went into the machine that is their development pipeline and it was revealed,” she added.

Nick Nikiforakis from Stony Brook University in New York highlighted that leaked API keys and credentials represent “a real issue in modern software development.” He elaborated that “API keys act in lieu of credentials and they allow whoever has them to act as an authorised user on a given service.” The challenge arises when these keys are occasionally misconfigured and inadvertently shared publicly, leading to potentially catastrophic outcomes. “Accidentally revealing an API key to the public allows attackers who find it to abuse it,” Nikiforakis stated.

Demir emphasized that addressing this problem requires a collective effort. “Developers, of course, have to [take] care when they use these API credentials,” he advised, stressing the importance of correctly configuring development environments. He further suggested that creators of website-building tools should design their software to automatically hide secret keys by default, rather than depending on developers for manual security. Additionally, companies that host websites should proactively scan for leaked keys and immediately deactivate them.