Full Report
Global bank's devs have some cleaning up to do after cloud creds found in website code Computer security boffins have conducted an analysis of 10 million websites and found almost 2,000 API credentials strewn across 10,000 webpages.…
Analysis Summary
# Vulnerability: Large-Scale Exposure of API Credentials in Production Web Applications
## CVE Details
- **CVE ID**: N/A (General architectural flaw/Information Disclosure)
- **CVSS Score**: 9.8 (Critical) - *Estimated based on direct access to core cloud infrastructure.*
- **CWE**: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor; CWE-798: Use of Hardcoded Credentials.
## Affected Systems
- **Products**: Production websites and web applications utilizing third-party APIs.
- **Versions**: N/A
- **Configurations**: Applications using JavaScript build tools (e.g., Webpack) or those embedding API keys directly in client-side code (HTML, JS, JSON, CSS).
- **Service Providers Impacted**: AWS (16%+), GitHub, Stripe, OpenAI, Cloudflare, Razorpay, SendGrid, and Twilio.
## Vulnerability Description
Security researchers identified systematic exposure of highly sensitive API credentials within the public-facing source code of production websites. Unlike traditional leaks found in repository history, these credentials reside in active production environments. The majority (84%) are found in JavaScript files, with 62% specifically originating from automated build bundles (like Webpack). This occurs when developers accidentally include environment variables or configuration secrets into the client-side build process rather than keeping them on the server side.
## Exploitation
- **Status**: Potential for widespread exploitation; credentials were found to be valid and remained exposed for an average of 12 months.
- **Complexity**: Low (Secrets are visible via simple dynamic analysis or automated scraping).
- **Attack Vector**: Network (Publicly accessible web browsers).
## Impact
- **Confidentiality**: Total (Direct access to databases, key management systems, and private repositories).
- **Integrity**: Total (Ability to modify cloud infrastructure, alter financial data, or inject malicious code into firmware via hijacked GitHub tokens).
- **Availability**: High (Unauthorized actors could delete cloud resources or disrupt communications).
## Remediation
### Patches
- Not a software patch; requires **credential revocation and rotation** for all affected services.
### Workarounds
- **Server-Side Proxying**: Transition to using a backend proxy to communicate with third-party APIs so that keys never reach the client-side browser.
- **Environment Variable Protection**: Ensure build tools (Webpack, Vite, etc.) are configured to exclude sensitive `.env` files from production bundles.
- **Scope Limitation**: Use restricted "Publishable" keys (like Stripe’s `pk_` keys) instead of "Secret" keys for client-side operations.
## Detection
- **Indicators of Compromise**: Unauthorized API calls, unexpected cloud resource creation, or unusual activity in CI/CD pipelines.
- **Detection Methods and Tools**:
- **TruffleHog**: Scouring production JS/HTML for high-entropy strings and known API patterns.
- **Manual Inspection**: Monitoring the "Network" and "Sources" tabs in browser developer tools for leaked headers or hardcoded strings.
- **Secret Scanning**: Implementing automated secret scanning in both CI/CD pipelines and against production URLs.
## References
- **Research Paper**: hxxps[://]arxiv[.]org/abs/2603.12498
- **Scanning Tool**: hxxps[://]trufflesecurity[.]com/trufflehog
- **Original Report**: hxxps[://]www[.]theregister[.]com/2026/03/27/api_key_exposure/