Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Keys on Doormats: Exposed API Credentials on the Web

Nurullah Demir, Yash Vekaria, Georgios Smaragdakis, Zakir Durumeric

Abstract

Application programming interfaces (APIs) have become a central part of the modern IT environment, allowing developers to enrich the functionality of applications and interact with third parties such as cloud and payment providers. This interaction often occurs through authentication mechanisms that rely on sensitive credentials such as API keys and tokens that require secure handling. Exposure of these credentials can pose significant consequences to organizations, as malicious attackers can gain access to related services. Previous studies have shown exposure of these sensitive credentials in different environments such as cloud platforms and GitHub. However, the web remains unexplored. In this paper, we study exposure of credentials on the web by analyzing 10M webpages. Our findings reveal that API credentials are widely and publicly exposed on the web, including highly popular and critical webpages such as those of global banks and firmware developers. We identify 1,748 distinct credentials from 14 service providers (e.g., cloud and payment providers) across nearly 10,000 webpages. Moreover, our analysis of archived data suggest credentials to remain exposed for periods ranging from a month to several years. We characterize web-specific exposure vectors and root causes, finding that most originate from JavaScript environments. We also discuss the outcomes of our responsible disclosure efforts that demonstrated a substantial reduction in credential exposure on the web.

Keys on Doormats: Exposed API Credentials on the Web

Abstract

Application programming interfaces (APIs) have become a central part of the modern IT environment, allowing developers to enrich the functionality of applications and interact with third parties such as cloud and payment providers. This interaction often occurs through authentication mechanisms that rely on sensitive credentials such as API keys and tokens that require secure handling. Exposure of these credentials can pose significant consequences to organizations, as malicious attackers can gain access to related services. Previous studies have shown exposure of these sensitive credentials in different environments such as cloud platforms and GitHub. However, the web remains unexplored. In this paper, we study exposure of credentials on the web by analyzing 10M webpages. Our findings reveal that API credentials are widely and publicly exposed on the web, including highly popular and critical webpages such as those of global banks and firmware developers. We identify 1,748 distinct credentials from 14 service providers (e.g., cloud and payment providers) across nearly 10,000 webpages. Moreover, our analysis of archived data suggest credentials to remain exposed for periods ranging from a month to several years. We characterize web-specific exposure vectors and root causes, finding that most originate from JavaScript environments. We also discuss the outcomes of our responsible disclosure efforts that demonstrated a substantial reduction in credential exposure on the web.
Paper Structure (27 sections, 12 figures, 5 tables)

This paper contains 27 sections, 12 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Related Work
  4. Methodology
  5. Identifying Exposed Credentials
  6. Longitudinal Analysis
  7. Responsible Disclosure
  8. Results on Exposed Credentials
  9. Overview of Verified Exposed Credentials
  10. Ecosystem Analysis of Credential Exposure
  11. Technical Exposure Environment
  12. Case Studies
  13. Critical Infrastructure Exposure
  14. Supply-Chain Risk
  15. Exposure Persistence
  16. ...and 12 more sections

Figures (12)

  • Figure 1: Overview of our measurement pipeline to detect and validate credential exposures on the web (top), followed by responsible disclosure and remediation monitoring (bottom).
  • Figure 2: Distinct credential exposures over website-popularity ranks, partitioned into first-party sources (left) and third-party sources (right). First-party exposures are common at all ranks. Third-party exposures are frequent, particularly on popular third-party integrations, and often result from first-party misconfigurations.
  • Figure 3: Relation between five major website categories (left) and eight common third-party services (right); link widths reflect the number of distinct exposed credentials.
  • Figure 4: Persistence duration of exposed credentials by service (in months).
  • Figure 5: Persistence trend of exposed credentials and affected services over time.
  • ...and 7 more figures