If you know where to look, you can find plenty of secrets on the internet. Since the fall of 2021, independent security researcher Bill Demirkapi has been developing ways to tap into huge sources of data — which are often overlooked by researchers — to find a wealth of security issues. This includes automatically finding developer secrets (such as passwords, API keys, and authentication tokens) that could give cybercriminals access to company systems and the ability to steal data.
Today at the Defcon security conference in Las Vegas, Demirkapi OpenAI is revealing the results of this work, detailing a huge trove of leaked secrets and broader website vulnerabilities. Among at least 15,000 developer secrets encoded in software, it found hundreds of username and password details linked to the Nebraska Supreme Court and its IT systems; the details needed to access Stanford University’s Slack channels; and more than a thousand API keys belonging to OpenAI customers.
Among the thousands of organizations that inadvertently exposed secrets were a major smartphone manufacturer, clients of a financial technology firm, and a multibillion-dollar cybersecurity company. As part of his efforts to stem the tide, Demirkapi devised a way to automatically revoke the data, rendering it useless to any hacker.
In a second line of investigation, Demirkapi also scanned data sources to find 66,000 websites with security issues. subdomain issuesmaking them vulnerable to a variety of attacks, including hijacking. Some of the world’s largest websites, including a development domain owned by The New York Times, had vulnerabilities.
While the two security issues he analyzed are well-known among researchers, Demirkapi says that turning to unconventional datasets — typically reserved for other purposes — allowed thousands of issues to be identified en masse, and if scaled up, offer the potential to help protect the web at large. “The goal has been to find ways to discover trivial vulnerability classes at scale,” Demirkapi tells WIRED. “I think there’s a gap for creative solutions.”
Secrets revealed; vulnerable websites
It’s relatively trivial for a developer to accidentally include company secrets in software or code. Alon Schindel, vice president of AI and threat research at cloud security firm Wiz, says there are a wide variety of secrets that developers can inadvertently hardcode or expose throughout the software development process. These can include passwords, encryption keys, API access tokens, cloud provider secrets, and TLS certificates.
“The most serious risk of leaving secrets encoded is that if digital authentication credentials and secrets are exposed, they can give adversaries unauthorized access to an organization’s codebases, databases and other sensitive digital infrastructure,” Schindel said.
The risks are high: Exposed secrets can lead to data breaches, hackers breaking into networks and supply chain attacks, Schindel adds. Research in 2019 I discovered that thousands of secrets were leaked on GitHub every day. And while There are several secret scanning toolsThese are mostly focused on specific targets and not the broader network, says Demirkapi.
During his research, Demirkapi, who became known for hacking schools as a teenager five years ago, looked for these secret keys on a large scale, rather than singling out a company and specifically looking for its secrets. To do so, he turned to VirusTotal, the Google-owned website that allows developers to upload files (such as apps) and have them scanned for potential malware.
