Uncovering Hidden Secrets Online: The Work of Bill Demirkapi
There is a wealth of information available online, just waiting to be discovered by those who know where to look. Since the fall of 2021, independent security researcher Bill Demirkapi has been delving into unconventional datasets to uncover a multitude of security issues that often go unnoticed by researchers. One of his key findings includes the automatic identification of developer secrets, such as passwords, API keys, and authentication tokens, which could potentially be exploited by cybercriminals to gain unauthorized access to corporate systems and steal sensitive data.
Revealing Leaked Secrets and Vulnerabilities
At the Defcon security conference in Las Vegas, Demirkapi presented his findings, which included a staggering number of leaked secrets and vulnerabilities across various websites. Among the 15,000 developer secrets he discovered hardcoded into software, there were hundreds of username and password details related to the Nebraska Supreme Court and Stanford University, as well as over a thousand API keys belonging to customers of OpenAI.
Furthermore, Demirkapi’s research uncovered critical vulnerabilities in over 66,000 websites with dangling subdomain issues, leaving them susceptible to attacks like hijacking. Even major websites, such as some owned by The New York Times, were found to have these vulnerabilities.
The Risks of Exposed Secrets
Developers often inadvertently include company secrets in their code during the software development process. These secrets may range from passwords and encryption keys to API access tokens and cloud provider credentials. The exposure of such secrets poses significant risks, as unauthorized access to corporate code bases, databases, and other sensitive infrastructure could lead to data breaches, network intrusions, and supply chain attacks.
Demirkapi’s research highlights the importance of addressing these vulnerabilities at scale and finding creative solutions to protect networks from potential threats. By leveraging unconventional datasets and innovative approaches, researchers can identify and mitigate thousands of security issues proactively.
