Many websites at risk of data breaches due to vulnerabilities, impacting tens of thousands of users.

144 views 6:01 am 0 Comments May 30, 2024

These files hold passwords, API keys, and other secrets that websites need to access databases, mail servers, payment processors, content management systems, and various other services. A scan of publicly available indexes reveals thousands of website owners leaving their most precious keys unprotected. These websites are vulnerable to unauthorized access and data breaches, and mean that visitors are also exposed to danger.

The analysis of the most up-to-date indexes of environment files reveals in a dataset of 1,141,004 secrets cumulatively exposed from 58,364 unique websites. The most commonly exposed secret is database credentials, present in the .envs of over 27 thousand websites. In such cases, only 12 percent of the databases were hosted remotely, likely allowing for easy credential exploitation.

“Databases often store a lot of sensitive information such as users’ private information or admin account information. Database credentials being leaked can expose the website’s users’ names, addresses, passwords, orders, actions, etc,” Cybernews researchers note. The second most frequently leaked secret type is application keys, which are usually used to encrypt and decrypt cookies and other sensitive information.

Email credentials were found to be present in over 10,000 websites. Other exposed data includes credential for Mautic — a marketing automation platform — AWS keys. The research team found a few hundred API keys used to access payment processors too, including 140 valid Stripe API keys and over 100 PayPal API keys.

Most of the affected websites (17,990) are hosted in the United States. However, secrets are leaking on websites from all over the world. Cybernews researchers discovered 7091 misconfigured websites from Germany, 3290 from India, and 2916 from France.

Other countries with over 1,000 leaking websites are Singapore, China, the United Kingdom, the Russian Federation, Japan, and the Netherlands. The researchers add, “It’s estimated that there are around 1 billion websites on the internet, of which only 200 million are active. This could suggest that we’re exploring only a small fraction of a percentage, or 0.0002 percent, of the total web.

Leave a Reply

Your email address will not be published. Required fields are marked *