If you know where to look, many secrets could be found online. Since fall 2021, independent security researcher Bill Demirkapi has been building ways to mine massive data sources, often overlooked by researchers, to uncover a wide range of security issues. This includes automatically uncovering developer secrets—like passwords, API keys, and authentication tokens—that can give cybercriminals access to a company’s systems and the ability to steal data.
Today, at Defcon security conference in Las Vegas, Demirkapi is revealing the results of that work, detailing a trove of leaked secrets and broader website vulnerabilities. Among at least 15,000 developer secrets hardcoded into the software, he found hundreds of username and password details associated with the Nebraska Supreme Court and its IT systems; details needed to access Stanford University Slack channels; and more than a thousand API keys belonging to OpenAI customers.
A major smartphone maker, a fintech client, and a multibillion-dollar cybersecurity firm are among the thousands of organizations whose secrets were accidentally exposed. As part of an effort to stop this, Demirkapi has come up with a way to automatically revoke the details, rendering them useless to any hackers.
In a second line of research, Demirkapi also scanned data sources to find 66,000 websites with errors. subdomain issueleaving them vulnerable to a variety of attacks, including takeovers. Some of the world’s largest websites, including a development domain owned by The New York Times, have vulnerabilities.
While the two security issues he looked at are widely known to researchers, Demirkapi said turning to nontraditional datasets, which are typically reserved for other purposes, allows for the identification of thousands of issues in bulk and, if scaled up, could potentially help protect the web as a whole. “The goal is to figure out how to detect trivial classes of vulnerabilities at scale,” Demirkapi told WIRED. “I think there’s a space for creative solutions.”
Secrets Revealed; Websites Vulnerable
It’s relatively common for a developer to accidentally introduce company secrets into software or code. There are a number of secrets that developers can accidentally hardcode or expose during the software development process, says Alon Schindel, vice president of AI and threat research at cloud security company Wiz. These secrets can include passwords, encryption keys, API access tokens, cloud provider secrets, and TLS certificates.
“The most serious risk of leaving secrets hardcoded is that if digital credentials and secrets are exposed, they could give adversaries unauthorized access to a company’s databases, source code, and other sensitive digital infrastructure,” Schindel said.
The stakes are high: Schindel added that the disclosure of secrets could lead to data breaches, hackers breaking into networks and supply chain attacks. Research 2019 found thousands of secrets leaked on GitHub every day. And while There are various secret scanning tools.These are largely focused on specific goals rather than the entire site, Demirkapi says.
During his research, Demirkapi, who first found prominence for teen school hacks five years ago, hunted for these private keys on a large scale—as opposed to picking a company and looking specifically for its secrets. To do this, he turned to VirusTotal, a Google-owned site that allows developers to upload files—like apps—and scan them for potential malware.
