- Thousands of exposed API keys discreetly grant access to critical systems
- Public web pages contain credentials that unlock cloud and payment services
- Developers unknowingly leave sensitive API tokens embedded in live websites
Security researchers from Stanford University, UC Davis and TU Delft say sensitive API credentials are found openly on thousands of public web pages, with very little protection.
According to a preprint version of the study on arXiv, researchers analyzed 10 million web pages and identified 1,748 valid credentials exposed on nearly 10,000 pages.
These credentials cover cloud platforms, payment services, and development tools used in production environments.
Article continues below
Widespread exposure on daily websites
The issue affects both lesser-known sites and high-profile organizations, including cases related to financial institutions and infrastructure-related services.
Nurullah Demir, a doctoral student at Stanford, said: “What we discovered was very sensitive API credentials being left publicly exposed on public web pages,” describing a pattern that suggests weak controls rather than isolated errors.
These credentials function as access tokens that allow applications to interact directly with external systems.
API credentials differ from standard login credentials because they allow automated and continuous access to services, often without additional layers of verification.
Demir noted that such access can extend to databases, storage systems and key management infrastructure depending on the permissions attached to each key.
One example involved a large financial institution where cloud credentials were embedded in website code, creating direct exposure to internal services.
In another case, repository credentials related to firmware development were discovered, raising the possibility of unauthorized code changes and distribution of modified updates.
This extends the risk beyond data access to potential manipulation of software used in connected devices.
The researchers traced most exposures to client-side code, particularly JavaScript files delivered to users’ browsers.
About 84% of the credentials identified were in JavaScript resources, many of which came from bundled files created by build tools like Webpack.
These processes can unintentionally include sensitive data when configurations are not tightly controlled.
Other exposures were found in HTML and JSON files, while others appeared in less common locations such as CSS.
The distribution across multiple file types suggests that the problem is integrated into the way web resources are prepared and deployed rather than related to a single development stage.
The study also found that diplomas on display often remain accessible for long periods of time, ranging from several months to several years.
Developers were often unaware of the issue until contacted, indicating gaps in the monitoring and review processes.
After disclosure efforts began, the number of exposed credentials decreased by about half in two weeks.
The researchers caution that their results likely represent only a lower bound, because they checked the credentials of a limited set of service providers.
This leaves open the possibility that many more identifying information remains publicly available on the web without detection.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
