The Silent Threat: How Exposed API Secrets are Compromising Cybersecurity

Neehar Pathare
June 26, 2024 | Cybersecurity

By Neehar Pathare, MD, CEO & CIO, 63SATS

Every day, over 560,000 new cyber threats are detected, many of which are tied to exposed API secrets and access tokens.

In February 2023, a significant vulnerability was discovered on Lowe’s Market website. Publicly accessible environment files leaked sensitive access tokens to AWS S3 buckets and API keys to third-party services. Among these was the GrocerKey API key, which allowed malicious actors to access partial credit card information, customer addresses, and top-spending users. The exposure extended to sending unsolicited orders, issuing refunds, launching ad campaigns, resetting passwords, and checking in-store and in-app balances.

Similarly, in a high-profile case involving Microsoft, an advanced persistent threat (APT) actor named Storm-0558 exploited a leaked Microsoft Account Consumer Key. This breach provided unauthorized access to unclassified email data from various government agencies, demonstrating the far-reaching consequences of poorly secured API secrets.

These incidents underscore a critical issue: the improper handling and infrequent rotation of API keys and access tokens can lead to severe security breaches.

The Broad Scope of API Secret Exposures

Secret sprawl occurs when sensitive data, such as API keys, unintentionally becomes exposed. Since 2022, the frequency of these incidents has surged. The primary causes include developer oversight, lack of awareness, and failure to follow best practices.

A comprehensive analysis conducted by Escape, a provider of API security solutions, revealed alarming statistics: over 18,000 exposed API secrets across 1 million popular domains. Among these, 41% were classified as highly critical, highlighting the widespread problem of API secret sprawl.

Additionally, 2023 saw a staggering 1212x increase in the number of leaked OpenAI API keys compared to the previous year, making them the top-ranked issue identified by GitGuardian.

Detecting and mitigating secrets sprawl is challenging. It requires identifying the leak’s source, timing, and location.

The rapid growth in code creation and the adoption of new programming methodologies, including AI-driven development, have increased the risk of secret exposure. This issue is now widely recognized as a pervasive challenge, necessitating more stringent management of secrets throughout the software development lifecycle (SDLC).

Cybersecurity Incidents Highlight the Dangers of Hard-Coded Secrets

Recent cybersecurity breaches involving prominent companies like Uber and Toyota have spotlighted the urgent need to tackle secrets sprawl and enhance code security.

Uber’s Breach: An attacker exploited hard-coded admin credentials found in a PowerShell script, gaining access to critical systems.

Toyota’s Exposure: Credentials that allowed access to customer data were inadvertently left in a public GitHub repository for nearly five years.

These cases illustrate the risks associated with secrets sprawl—where sensitive data like API keys are exposed. Such incidents are common in open-source projects and can lead to unauthorized access to essential systems, significant financial losses, data breaches, and severe reputational damage.

Securing APIs is inherently complex, and it becomes even more challenging when keys and tokens are inadvertently exposed. As cyber threats continue to evolve, proactive and vigilant management of API secrets is crucial to safeguarding your systems and data.

By implementing robust security measures and fostering a culture of awareness, businesses can mitigate the risks associated with API secret sprawl and enhance their overall cybersecurity posture.