- Thousands of exposed API keys quietly allow access to critical systems
- Public web pages contain credentials that unlock cloud and payment services
- Developers unknowingly leave sensitive API tokens embedded in live websites
Security researchers from Stanford University, UC Davis and TU Delft say sensitive API credentials are out in the open on thousands of public web pages with very little protection.
According to a preprint version of the study on arXiv, the researchers analyzed 10 million web pages and identified 1,748 valid credentials displayed on nearly 10,000 pages.
These credentials cover cloud platforms, payment services, and developer tools used in production environments.
The article continues below
Widespread exposure across everyday websites
The problem cuts across both lesser-known websites and high-profile organizations, including cases linked to financial institutions and infrastructure-related services.
Nurullah Demir, a PhD candidate at Stanford, said: “What we found was very sensitive API credentials being publicly exposed on public web pages,” describing a pattern that suggests weak controls rather than isolated errors.
These credentials act as access tokens that allow applications to interact directly with external systems.
API credentials differ from standard login credentials because they enable automated and continuous access to services, often without additional layers of verification.
Demir noted that such access could extend to databases, storage systems and key management infrastructure depending on the permissions attached to each key.
One example involved a major financial institution where cloud credentials were embedded in website code, creating direct exposure to internal services.
In another case, repository credentials associated with firmware development were found exposed, increasing the possibility of unauthorized code changes and distribution of modified updates.
This extends the risk beyond data access to potential manipulation of software used in connected devices.
The researchers traced most exposures to client-side code, particularly JavaScript files delivered to users’ browsers.
About 84% of the credentials identified appeared in JavaScript resources, many of which came from bundled files created by build tools such as Webpack.
These processes can inadvertently include sensitive data when configurations are not carefully controlled.
Other exposures were found in HTML and JSON files, while some appeared in less typical places such as CSS.
The spread across multiple file types suggests that the problem is embedded in how web assets are prepared and deployed, rather than tied to a single development step.
The study also found that exposed credentials often remain available for long periods of time, ranging from several months to several years.
Developers were often unaware of the problem before being contacted, indicating gaps in monitoring and review processes.
After the disclosure efforts began, the number of exposed credentials dropped by about half within two weeks.
The researchers caution that their findings likely only represent a lower bound, as they verified credentials from a limited set of service providers.
It opens the possibility for far more credentials to remain publicly available across the web without registration.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
