https://portswigger.net/daily-swig/internet-scans-find-1-6-million-secrets-leaked-by-websites
Security researchers have apparently discovered more than 1.6 million secrets leaked by websites, including more than 395,000 exposed by the one million most popular domains.
Modern web applications typically embed API keys, cryptographic secrets, and other credentials within JavaScript files in client-side source code.
Aided by a tool developed specifically for the task, researchers from RedHunt Labs sought information disclosure vulnerabilities via a ânon-intrusiveâ probe of millions of website home pages and exceptions thrown by debug pages used in popular frameworks.
DONâT MISS Email platform Zimbra patches memcached injection flaw that imperils user credentials
âThe number of secrets exposed via the front end of hosts is alarmingly huge,â said Pinaki Mondal, security researcher at RedHunt Labs, in a blog post.
âOnce a valid secret gets leaked, it paves the path for lateral movement amongst attackers, who may decide to abuse the business service account leading to financial losses or total compromise.â
Millions of secrets
The first of two mammoth scans focused on the one million most heavily trafficked websites. It yielded 395,713 secrets, three quarters of which (77%) were related to Google services reCAPTCHA, Google Cloud, or Google OAuth.
Googleâs reCAPTCHA alone accounted for more than half (212,127) of these secrets â and the top five exposed secret types was completed by messaging app LINE and Amazon Web Services (AWS).
Phase two, which involved scanning around 500 million hosts, surfaced 1,280,920 secrets, most commonly pertaining to Stripe, followed by Google reCAPTCHA, Google Cloud API, AWS, and Facebook.
Read more of the latest cybersecurity research news and analysis
A majority of exposures across both phases â 77% â occurred in frontend JavaScript files.
Most JavaScript was served through content delivery networks (CDNs), with the Squarespace CDN leading the way with over 197,000 exposures.
Mondal blamed the âdecadesâ-old problem of leaked secrets on the âcomplexities of the software development lifecycleâ, adding: âAs the code-base enlarges, developers often fail to redact the sensitive data before deploying it to production.â
âNon-intrusiveâ research
The RedHunt Labs research team told The Daily Swig that they are still âcontinuously reporting the secrets through automation to their source domains provided they have an email [address] mentioned on their home pageâ.
The researchers said they had encountered no legal problems related to the research so far.
âWe received a few abuse reports against the boxes on which the scan was run and we have handled them,â they said.
The âextremely non-intrusiveâ process involved no âmore than a few HTTP requests per domainâ and no written actions â âonly read requests to HTTP URLs and JavaScript files were sentâ.
The captured secrets, meanwhile, are âstored on an encrypted volume with access to very limited folksâ and âwill be disposed of after a monthâ, added the researchers.
Red Hunt Labs has open-sourced the tool developed for the research and created a demonstration video:
Called HTTPLoot, it can crawl and scrape URLs asynchronously, check for leaked secrets in JavaScript files, find and complete forms to trigger error/debug pages, extract secrets from debug pages, and automatically detect tech stacks.
Redhunt Labs has set out four best practices for preventing and mitigating leaked secrets, including setting restrictions on access keys, centrally managing secrets in a restricted environment or config file, setting up alerts for leaked secrets, and continuously monitoring source code for information leakage issues.
Web Application Security: Exploitation and Countermeasures for Modern Web Applications
