A Third of Compromised API Keys Still Active

API Keys are an alternative to passwords for connecting to a computer or web service. Typically, API Keys are used by software applications to talk to other applications and are considered more secure than using userids and passwords to authenticate.

Unfortunately, too many developers don’t treat APIkKeys like the security risk they are.

API keys are often used by cloud applications to talk to other cloud applications and as cloud applications proliferate, this problem becomes worse. Security firm Nightfall scanned hundreds of terabytes of data looking for “secrets”. Secrets are a generic term that refers to passwords, API keys, database connection strings and other things that should not be public.

They found more than 171,000 secrets exposed across SaaS applications, GenAI tools, email and other public places.

One of the more common places to find these are hardcoded into web applications. That means that anyone who looks at the code can find — and abuse — those secrets.

While they found more passwords in their scan (59%) than API keys (39%), they should not have found either of them.

The most common places to find the secrets were GitHub, Confluence and Zendesk.

But there is some good news here. Not all of the secrets that they found still worked. In fact, only a little more than one-third of them were still active. What that means is that of the 171,000 secrets they found, more than 50,000 of them would still unlock the door to your data.

Remember, that they only scanned a tiny little fraction of the code out there, so you can only speculate whether that total number is 500,000 working keys, 5 million keys or 50 million keys.

There are a number of ways to avoid hardcoding secrets, but all of them require reworking your software.

Alternatively, you can allow anyone who stumbles upon your secrets to steal whatever the secrets protect.

Your choice. Credit: Helpnet Security

by