Home / Technology / API Keys Exposed: Global Security Risk Found
API Keys Exposed: Global Security Risk Found
23 Mar
Summary
- Nearly 10,000 websites exposed sensitive API keys.
- Leaked keys could grant attackers server impersonation.
- Credentials remained public for an average of 12 months.
Thousands of websites, some belonging to major financial and healthcare institutions, have exposed critical security credentials. Researchers identified nearly 10,000 sites with leaked API keys, which could grant attackers access to sensitive data and control over digital infrastructure.
These exposed API keys, including RSA private keys, could allow unauthorized individuals to impersonate servers and decrypt private communications. The vulnerability affects services from major providers like Amazon Web Services, Stripe, and OpenAI, with exposed credentials remaining online for an average of 12 months, and some for as long as five years.
The issue stems from how software developers package code and utilize third-party resources. While developers often follow best practices, programming quirks can lead to API keys being unintentionally revealed. Researchers have notified affected companies, with about half resolving the issue within two weeks.
Addressing this widespread vulnerability requires a multi-faceted approach. Developers must carefully configure environments, website-building tool creators should implement default security for secret keys, and hosting companies need to actively scan for and deactivate leaked credentials to prevent misuse.
