Anika Begay
If you know where to look, you can find a lot of secrets online. Since the fall of 2021, independent security researcher Bill Demirkapi has been developing ways to tap into massive data sources often overlooked by researchers to find masses of security issues. This includes automatically searching for developer secrets, such as passwords, API keys, and authentication tokens, that could give cybercriminals access to corporate systems and the ability to steal data.
Today, at the Defcon security conference in Las Vegas, Demirkapi is unveiling the results of that work, detailing a wealth of leaked secrets and broader vulnerabilities on the website. Among at least 15,000 developer secrets hard-coded into the software, he found hundreds of username and password details tied to the Nebraska Supreme Court and its IT systems; details needed to log into Stanford University’s Slack channels; and more than a thousand API keys belonging to OpenAI customers.
A major smartphone maker, a fintech company’s clients, and a multibillion-dollar cybersecurity firm are among the thousands of organizations that have inadvertently exposed secrets. As part of his efforts to stem the tide, Demirkapi has figured out a way to automatically have the details revoked, making them useless to any hacker.
In a second line of research, Demirkapi also analyzed data sources to find 66,000 websites with pending subdomain issues, making them vulnerable to various attacks, including hijacking. Some of the world’s largest websites, including a development domain owned by the New York Times, had these weaknesses.
While the two security problems he examined are well-known among researchers, Demirkapi says that using unconventional data sets, usually reserved for other purposes, has allowed thousands of problems to be identified en masse, and if scaled up, has the potential to help secure the web at large. “The goal has been to find ways to discover trivial classes of vulnerabilities at scale,” Demirkapi told WIRED. “I think there’s a gap for creative solutions.”
Secrets Revealed; Vulnerable Websites
It’s relatively trivial for a developer to accidentally include their company’s secrets in software or code. Alon Schindel, vice president of AI and threat research at cloud security firm Wiz, says there’s a huge variety of secrets that developers can inadvertently encode or expose during the software development pipeline. These can include passwords, encryption keys, API access tokens, cloud provider secrets, and TLS certificates.
“The most serious risk in leaving secrets hard-coded is that if digital authentication credentials and secrets are exposed, they can grant adversaries unauthorized access to a company’s codebases, databases, and other sensitive digital infrastructure,” Schindel says.
The risks are high: Exposed secrets can lead to data breaches, hackers penetrating networks, and supply chain attacks, Schindel adds. Previous research in 2019 found that thousands of secrets were leaked to GitHub every day. And while there are various secret scanning tools, they are largely focused on specific targets and not the broader web, Demirkapi says.
In his research, Demirkapi, who first gained prominence for his teenage school hacking exploits five years ago, looked for these secret keys on a large scale, rather than selecting a company and looking specifically for its secrets. To do so, he turned to VirusTotal, the Google-owned website that lets developers upload files, such as apps, and have them scanned for potential malware.
