Thousands of websites are accidentally broadcasting sensitive data, study finds
Tech Xplore • • technology
Key Points:
- Researchers from Stanford University analyzed 10 million websites and discovered 1,748 active API credentials exposed in live website code, risking unauthorized access to cloud servers, bank accounts, and customer data.
- The exposed credentials, often found in JavaScript files, sometimes remained publicly accessible for up to several years, primarily due to developers accidentally including private keys in production website code.
- The study highlights that static scanning methods are insufficient, as most leaks occur during the website build process and only appear in live environments when pages load.
- After notifying affected organizations, half of the exposed credentials were removed or deactivated within two weeks, underscoring the importance of timely intervention.
- To prevent future breaches, researchers recommend scanning live website versions, enforcing strict automated build rules, and improving service providers' alert systems for detecting exposed keys on public webpages.
