Thousands of publicly exposed, active application programming interface (API) tokens have been spotted across the web that could threaten software integrity and allow bad actors to access confidential information, data or private networks.
The findings come from security researchers at JFrog, who recently made the discovery while testing a new feature in one of the company's security solutions.
The team reportedly scanned over eight million artifacts in the most common open-source software registries, including npm, PyPI, RubyGems, crates.io and DockerHub, to find and verify leaked API tokens.
In the case of npm and PyPI packages, the scan also included multiple versions of the same package to try and find tokens that were once available but removed later.
The scan results showed that Amazon Web Services (AWS), Google Cloud Platform (GCP) and Telegram API tokens were the most leaked tokens. At the same time, the figures showed Amazon developers revoked 53% of all inactive tokens, while GCP only revoked 27%.
“Although the initial goal of their research was to find and fix false positives, the research team uncovered more active secrets than expected, which prompted the detailed analysis,” JFrog wrote in a report shared with Infosecurity.
“To complete the analysis, the team privately disclosed all leaked secrets to their respective code owners (ones who could be identified), offering them a chance to replace or revoke the secrets as needed.”
Regarding what secrets had been disclosed, JFrog mentioned the list included plaintext API keys, credentials, expired certificates and passwords.
More information about the API tokens exposed by JFrog can be found on the company’s website. The technical write-up comes months after CloudSEK discovered over 3200 mobile apps were leaking Twitter API keys.
For more information on how to secure applications against API attacks, you can watch this recent webinar by Jonathan Care from Lionfish Tech Advisors.