Oh boy.
-
Oh boy. Stanford researchers scanned 10 million web pages and found API keys just sitting in the public-facing code. That's 1,748 active credentials from major providers exposed in live website code, mostly inside JavaScript files. Not in old test environments. Not in a forgotten repo. In the live, running site. Banks. Healthcare providers. "Not just small companies, but some very large companies," according to the lead researcher. And some of those credentials had been sitting there for years. Not the first time I've seen something like this.
β
οΈ The thing is that most orgs are scanning their source code but not their deployed sites.
Those are two different things, and most leaks originate during the build process. A key gets baked in somewhere between development and production, and nobody catches it because the scan already ran upstream. Meanwhile, GitGuardian counted over 28 million new hardcoded secrets exposed in public GitHub commits in 2025 alone. This isn't a one-time research finding it's a systemic habit that needs to change.
When did your team last scan the live site, not just the codebase?
If you're in a regulated industry, that question just became a compliance question toohttps://www.newscientist.com/article/2520143-security-credentials-inadvertently-leaked-on-thousands-of-websites/
#Cybersecurity #AppSec #Leadership #security #privacy #cloud #infosec -
R relay@relay.infosec.exchange shared this topic
-
Oh boy. Stanford researchers scanned 10 million web pages and found API keys just sitting in the public-facing code. That's 1,748 active credentials from major providers exposed in live website code, mostly inside JavaScript files. Not in old test environments. Not in a forgotten repo. In the live, running site. Banks. Healthcare providers. "Not just small companies, but some very large companies," according to the lead researcher. And some of those credentials had been sitting there for years. Not the first time I've seen something like this.
βοΈ The thing is that most orgs are scanning their source code but not their deployed sites.
Those are two different things, and most leaks originate during the build process. A key gets baked in somewhere between development and production, and nobody catches it because the scan already ran upstream. Meanwhile, GitGuardian counted over 28 million new hardcoded secrets exposed in public GitHub commits in 2025 alone. This isn't a one-time research finding it's a systemic habit that needs to change. When did your team last scan the live site, not just the codebase? If you're in a regulated industry, that question just became a compliance question toohttps://www.newscientist.com/article/2520143-security-credentials-inadvertently-leaked-on-thousands-of-websites/
#Cybersecurity #AppSec #Leadership #security #privacy #cloud #infosec@brian_greenberg Good to have you posting again sir. You been quiet!
-
Oh boy. Stanford researchers scanned 10 million web pages and found API keys just sitting in the public-facing code. That's 1,748 active credentials from major providers exposed in live website code, mostly inside JavaScript files. Not in old test environments. Not in a forgotten repo. In the live, running site. Banks. Healthcare providers. "Not just small companies, but some very large companies," according to the lead researcher. And some of those credentials had been sitting there for years. Not the first time I've seen something like this.
βοΈ The thing is that most orgs are scanning their source code but not their deployed sites.
Those are two different things, and most leaks originate during the build process. A key gets baked in somewhere between development and production, and nobody catches it because the scan already ran upstream. Meanwhile, GitGuardian counted over 28 million new hardcoded secrets exposed in public GitHub commits in 2025 alone. This isn't a one-time research finding it's a systemic habit that needs to change. When did your team last scan the live site, not just the codebase? If you're in a regulated industry, that question just became a compliance question toohttps://www.newscientist.com/article/2520143-security-credentials-inadvertently-leaked-on-thousands-of-websites/
#Cybersecurity #AppSec #Leadership #security #privacy #cloud #infosec@brian_greenberg The fastest critical finding I made in a web app pen test came about 3 or so years ago. Was doing a zero-knowlege assessment of some online store. First thing I did was browse to the site and hit 'view source' to see what I could find out about the stack etc.
At the very top, in a code comment, was the unmistakable shape of an AWS Access Key and Secret.
I thought it was probably a canary, since why else would it be there? So I carefully explored it via a proxy to see what would happen.
Friggin' valid AWS key. Attached to the root account no less.
