Unlocking Online Secrets: Revealing Massive Troves of Leaked Secrets and Vulnerabilities

If you know where to look, plenty of secrets can be found online. Security researcher Bill Demirkapi has been diligently working since the fall of 2021 to uncover overlooked data sources and massive security vulnerabilities. His efforts have led to the automatic discovery of developer secrets like passwords, API keys, and authentication tokens, which could potentially grant cybercriminals unauthorized access to company systems and sensitive data.

The Revealing Results

Today, at the Defcon security conference in Las Vegas, Demirkapi is shedding light on the extensive findings of his work. He has uncovered a vast trove of leaked secrets and widespread website vulnerabilities. Among the discoveries are at least 15,000 developer secrets embedded in software, including sensitive details like username and password combinations for Nebraska’s Supreme Court and Stanford University’s Slack channels, as well as over a thousand API keys belonging to OpenAI customers.

Astonishingly, major smartphone manufacturers, customers of a fintech company, and a multibillion-dollar cybersecurity company are among the thousands of organizations inadvertently exposing their secrets. As part of his efforts to mitigate the risks, Demirkapi has devised methods to automatically revoke these exposed details, rendering them useless to potential hackers.

In a separate facet of his research, Demirkapi has also identified 66,000 websites with dangling subdomain issues, leaving them vulnerable to various attacks such as hijacking. Notable websites, including a development domain owned by The New York Times, have been found to have these vulnerabilities.

Evaluating Security Risks

It is alarmingly easy for developers to inadvertently include their company’s secrets in software or code. According to Alon Schindel, the vice president of AI and threat research at the cloud security company Wiz, developers can unknowingly hard-code or expose a wide range of secrets throughout the software development process. These secrets may include passwords, encryption keys, API access tokens, cloud provider secrets, and TLS certificates.

The consequences of exposing these secrets can be severe, potentially leading to data breaches, network intrusions, and supply chain attacks. Previous research has highlighted the ongoing risk of leaked secrets on platforms like GitHub. While tools exist to scan for secrets, Demirkapi’s approach of utilizing unconventional datasets to identify vulnerabilities at scale presents a unique and valuable contribution to enhancing web security.

As Demirkapi continues to innovate in the realm of cybersecurity, his work underscores the importance of proactive measures to safeguard sensitive information and prevent potential security breaches.