Paris, Wednesday January 24th, 2024 – Escape, an API security platform, today announced the results of its 2024 API Secret Sprawl research. The research is based on Escape’s detailed scanning and analysis of the 1 million most popular domains at the beginning of 2024.
Escape’s security research team scanned 189.5M URLs and found more than 18,000 exposed API secrets. 41% of exposed secrets were highly critical, i.e. could lead to significant financial risks for the organizations, as exposed financial tokens and API keys included $20 million in vulnerable Stripe Tokens.
The exposed secrets include hundreds of Stripe, GitHub/GitLab tokens, RSA private keys, OpenAI keys, AWS tokens, Twitch secret keys, cryptocurrency exchange keys, X (formerly Twitter) tokens, and Slack and Discord webhooks.
Recent reports, including GitGuardian's 'The State of Secret Sprawl,' indicate a 67% increase in secret sprawl in 2023 alone, with 10 million new cases of secret exposure in GitHub. This issue extends beyond GitHub, affecting all aspects of software development and operation.
Our research addresses the escalating challenge of API secret sprawl. Beyond public code, our focus extends to real-world applications, ensuring a comprehensive understanding of API vulnerabilities. The diversity of exposed secrets, from AI service keys to financial access and communication tools, emphasizes the widespread challenge of keeping sensitive information secure. - Tristan Kalos, Escape CEO
Unlike other reports, Escape’s web crawler analyzed applications in their actual usage scenarios, examining everything from APIs to frontends, including elements that run in the background like JavaScript. This approach shows how and where API secret keys and tokens are exposed in real-world settings, not only in code repositories.
The 2023 incidents, including the leaked Microsoft Account Consumer Key and the OpenSea third-party vendor breach, perfectly illustrate how secrets can be exploited in attacks.
In the case of Microsoft, a cyberattack involved the advanced persistent threat (APT) actor, Storm-0558, who gained access to unclassified email data from various government agencies. This was achieved by discovering a leaked Microsoft Account Consumer Key, which allowed the threat actor to forge access tokens to enterprise email accounts. This incident underscores the importance of secure handling and regular rotation of API keys and access tokens.
In a more recent case, OpenSea, an NFT marketplace, notified their customers of a breach with a third-party vendor. The data breach could have a significant impact since OpenSea is the second-largest non-fungible token (NFT) marketplace by trading volume (36.5%) after Blur (56.8%), which launched only a year ago. This incident highlights the risks associated with third-party integrations and the importance of securing API tokens that provide access to such services.
This extensive exposure of API secrets underscores a critical security issue. Immediate, strategic actions are necessary. Businesses must acknowledge the gravity of secret sprawl and implement rigorous measures to counter it. Centralizing token management, enforcing rotation policies, segmenting access, intensifying security training, and leveraging automated testing tools are essential steps to mitigate these risks.
About Escape
Founded in 2020 by Tristan Kalos and Antoine Carossio, Escape is a cybersecurity company specializing in application security with a platform that combines attack surface monitoring (ASM) capabilities with dynamic application security testing (DAST). The solution allows developers to test the security and reliability of their cloud applications during the development process, before and after their release. Escape already serves thousands of users across the world. More information on: www.escape.tech
Additional resources
Media Contact
Alexandra Charikova
+33 6 34 21 25 23
alexandra@escape.tech