API Secret Sprawl Study Unveils 18,000 Exposed API Secrets, Including $20 Million in Vulnerable Stripe Tokens
January 2024 by Escape
Escape, an API security platform, announced the results of its 2024 API Secret Sprawl research. The research is based on Escape’s detailed scanning and analysis of the 1 million most popular domains at the beginning of 2024.
Escape’s security research team scanned 189.5M URLs and found more than 18,000 exposed API secrets. 41% of exposed secrets were highly critical, i.e. could lead to significant financial risks for the organizations, as exposed financial tokens and API keys included $20 million in vulnerable Stripe Tokens.
The exposed secrets include hundreds of Stripe, GitHub/GitLab tokens, RSA private keys, OpenAI keys, AWS tokens, Twitch secret keys, cryptocurrency exchange keys, X (formerly Twitter) tokens, and Slack and Discord webhooks.
Recent reports, including GitGuardian’s ’The State of Secret Sprawl,’ indicate a 67% increase in secret sprawl in 2023 alone, with 10 million new cases of secret exposure in GitHub. This issue extends beyond GitHub, affecting all aspects of software development and operation.
Our research addresses the escalating challenge of API secret sprawl. Beyond public code, our focus extends to real-world applications, ensuring a comprehensive understanding of API vulnerabilities. The diversity of exposed secrets, from AI service keys to financial access and communication tools, emphasizes the widespread challenge of keeping sensitive information secure. - Tristan Kalos, Escape CEO
The 2023 incidents, including the leaked Microsoft Account Consumer Key and the OpenSea third-party vendor breach, perfectly illustrate how secrets can be exploited in attacks.
In the case of Microsoft, a cyberattack involved the advanced persistent threat (APT) actor, Storm-0558, who gained access to unclassified email data from various government agencies. This was achieved by discovering a leaked Microsoft Account Consumer Key, which allowed the threat actor to forge access tokens to enterprise email accounts. This incident underscores the importance of secure handling and regular rotation of API keys and access tokens.
In a more recent case, OpenSea, an NFT marketplace, notified their customers of a breach with a third-party vendor. The data breach could have a significant impact since OpenSea is the second-largest non-fungible token (NFT) marketplace by trading volume (36.5%) after Blur (56.8%), which launched only a year ago. This incident highlights the risks associated with third-party integrations and the importance of securing API tokens that provide access to such services.
This extensive exposure of API secrets underscores a critical security issue. Immediate, strategic actions are necessary. Businesses must acknowledge the gravity of secret sprawl and implement rigorous measures to counter it. Centralizing token management, enforcing rotation policies, segmenting access, intensifying security training, and leveraging automated testing tools are essential steps to mitigate these risks.