Recently, security researchers discovered over 1.6 million secrets was leaked by the websites. Read on to know more about it…
According to security researchers, over 1.6 million secrets have been leaked by websites, including over 395,000 by the top one million domains.
In client-side JavaScript files, modern online applications frequently contain API keys, cryptographic keys, and other credentials.
API keys, cryptographic secrets, and other credentials are typically embedded by modern web applications within JavaScript files in client-side source code.
RedHunt Labs researchers used a tool developed especially for the task and sought information disclosure vulnerabilities through a “non-intrusive” probe of millions of website home pages and exceptions thrown by debug pages used in popular frameworks.
In a blog post Pinaki Mondal, Security Researcher at RedHunt Labs, said “The number of secrets exposed via the front end of hosts is alarmingly huge,”
“Once a valid secret gets leaked, it paves the path for lateral movement amongst attackers, who may decide to abuse the business service account leading to financial losses or total compromise.”
Scanning of Millions of Secrets
The first of two enormous scans was focussed on the one million most heavily trafficked websites. It produced 395,713 secrets, of which 77 percent was related to Google services like reCAPTCHA, Google Cloud, or Google OAuth.
More than half (212,127) of these secrets were from Google’s reCAPTCHA, and the messaging app LINE and Amazon Web Services (AWS) rounded out the top five leaked secret types.
Phase two’s scanning of about 500 million hosts surfaced 1,280,920 secrets, the majority of which were related to Stripe which was followed by Google reCAPTCHA, Google Cloud API, AWS, and Facebook.
Across all phases, frontend JavaScript files were the source of 77% of exposures.
The Squarespace CDN led the pack with more than 197,000 exposures, providing the majority of JavaScript via content delivery networks (CDNs).
A majority of these exposures across both phases accounting for 77 percent occurred in frontend JavaScript files.
The Squarespace CDN led the way with more than 197,000 exposures, providing t
The majority of JavaScript was served via Content Delivery Networks (CDNs), with the Squarespace CDN leading the way with more than 197,000 exposures.
On the “complexities of the software development lifecycle”, Mondal blamed the “decades”-old problem of leaked secrets and added “As the code-base enlarges, developers often fail to redact the sensitive data before deploying it to production.”
About Research
The RedHunt Labs research team told The Daily Swig that they are still “continuously reporting the secrets through automation to their source domains provided they have an email [address] mentioned on their home page”.
The researchers said that thus far, there have been no legal issues associated with the research.
The researchers said that “We received a few abuse reports against the boxes on which the scan was run and we have handled them,”
The “extremely non-intrusive” process involved no “more than a few HTTP requests per domain” and no written actions – “only read requests to HTTP URLs and JavaScript files were sent”.
The researchers added that the captured secrets, meanwhile, are “stored on an encrypted volume with access to very limited folks” and “will be disposed of after a month”
Red Hunt Labs has open-sourced the tool developed for the research and created a demonstration video:
Known as HTTPLoot, it can crawl and scrape asynchronously, check for secrets that have been exposed in JavaScript files, find and complete forms to trigger error/debug pages, extract secrets from debug pages, and automatically detect tech stacks.
Redhunt Labs has outlined four best practices for prevention and mitigating leaked secrets, including setting restrictions on access keys, centrally managing secrets in a restricted environment or configuration file, setting up alerts for leaked secrets, and continuously monitoring source code for information leakage issues.