- Thousands of exposed API keys silently grant access to critical systems
- Public web pages contain credentials that unlock payment and cloud services.
- Developers Unknowingly Leave Sensitive API Tokens Embedded in Live Websites
Security researchers from Stanford University, UC Davis and TU Delft say sensitive API credentials are found openly on thousands of public web pages, with very little protection.
According to a preprint version of the study on arXiv, researchers analyzed 10 million web pages and identified 1,748 valid credentials exposed on nearly 10,000 pages.
These credentials cover cloud platforms, payment services, and development tools used in production environments.
Article continues below.
Widespread exposure on everyday websites
The issue affects both lesser-known sites and high-profile organizations, including cases linked to financial institutions and infrastructure-related services.
Nurullah Demir, a PhD candidate at Stanford, said: “What we found were highly sensitive API credentials publicly exposed on public web pages,” describing a pattern that suggests weak controls rather than isolated errors.
These credentials serve as access tokens that allow applications to interact directly with external systems.
API credentials differ from standard login details because they allow automated and continuous access to services, often without additional layers of verification.
Demir noted that such access can extend to databases, storage systems, and key management infrastructure depending on the permissions attached to each key.
One example involved a major financial institution where cloud credentials were embedded in the website code, creating direct exposure to internal services.
In another case, repository credentials linked to firmware development were found exposed, increasing the possibility of unauthorized code changes and distribution of altered updates.
This extends the risk beyond data access to potential tampering with software used on connected devices.
The researchers traced most of the exposures to client-side code, especially JavaScript files delivered to users’ browsers.
Approximately 84% of the identified credentials appeared in JavaScript resources, and many of them originated from packaged files created by build tools such as Webpack.
These processes can unintentionally include sensitive data when configurations are not tightly controlled.
Other exposures were found in HTML and JSON files, while some appeared in less typical locations, such as CSS.
The distribution across multiple file types suggests that the issue is built into how web assets are prepared and deployed rather than tied to a single development stage.
The study also found that exposed credentials often remain accessible for long periods, ranging from several months to several years.
Developers were often unaware of the issue until they were contacted, indicating gaps in the monitoring and review processes.
After disclosure efforts began, the number of exposed credentials dropped by about half within two weeks.
The researchers caution that their findings likely represent only a lower bound, as they verified the credentials of a limited set of service providers.
That leaves open the possibility that many more credentials remain publicly accessible on the web undetected.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
