Escape's security research team scanned 189.5 million URLs and discovered over 18,000 exposed API secrets. 41% of the secrets exposed were so important that they could pose a financial risk to the organization.
Exposed API secret
Exposed secrets include hundreds of Stripe, GitHub/GitLab tokens, RSA private keys, OpenAI keys, AWS tokens, Twitch private keys, cryptocurrency exchange keys, X tokens, Slack and Discord webhooks.
GitGuardian's State of Secret Sprawl shows that secret sprawl will increase by 67% in 2023 alone, with 10 million new secrets exposed on GitHub. This issue extends beyond his GitHub and affects every aspect of software development and operations.
“Our research addresses the escalating challenge of API secret proliferation. Beyond public code, our focus extends to real-world applications and provides a comprehensive understanding of API vulnerabilities. “The variety of exposed secrets, from keys to AI services to financial access and communication tools, highlights the broader challenge of protecting sensitive information,” said Tristan Kalos, CEO of Escape. says.
Escape's web crawler analyzes applications in real-world usage scenarios, examining everything from the API to the front end, including elements that run in the background such as JavaScript. This approach shows how and where API private keys and tokens are exposed in a real-world setting, not just in a code repository.
How to reduce risk
Escape researchers have outlined the following important steps to reduce risk.
- Centralize token management: Centralized token management ensures secure storage, access, and rotation. By storing all your tokens in one place, you can comprehensively monitor their usage.
- Rotate your tokens regularly. Frequently refreshing tokens can reduce the impact of a potential breach. Tools like AWS Secrets Manager can automate this process of rotating secrets.
- Assign tokens to specific teams or services. Assign each token to the designated team or service that needs it.
- Develop a revocation strategy. Implement a simple process to quickly revoke tokens in the event of a security breach.
- Assign appropriate permissions. Limit the privileges of each token to only what is needed, reducing the potential for large-scale damage.
- Limit the scope of the token. Restrict each token's access within the system.
- Monitor token usage patterns. Actively observe how your tokens detect anomalous or suspicious activity.
- Train your internal team. Ensure that all team members are well-informed about the importance of token security and consistently follow established best practices.
