Thousands of corporate secrets were left exposed. This guy found them all
Hello, and welcome to WIRED Start: your weekly roundup of the most important stories, landing in your inbox every Monday. Don’t forget, you can get the very latest from WIRED with our daily newsletter. Sign up to receive it for free here .?
This week we meet security researcher Bill Demirkapi , who found more than 15,000 hardcoded secrets and 66,000 vulnerable websites—all by searching overlooked data sources.
If you know where to look, plenty of secrets can be found online. Since the fall of 2021, independent security researcher Bill Demirkapi has been building ways to tap into huge data sources, which are often overlooked by researchers, to find masses of security problems. This includes automatically finding developer secrets—such as passwords, API keys, and authentication tokens—that could give cybercriminals access to company systems and the ability to steal data.
At the Defcon security conference in Las Vegas last week, Demirkapi unveiled the results of this work, detailing a massive trove of leaked secrets and wider website vulnerabilities. Among at least 15,000 developer secrets hard-coded into software, he found hundreds of username and password details linked to Nebraska’s Supreme Court and its IT systems; the details needed to access Stanford University’s Slack channels; and more than a thousand API keys belonging to OpenAI customers.
A major smartphone manufacturer, customers of a fintech company, and a multibillion-dollar cybersecurity company are counted among the thousands of organizations that inadvertently exposed secrets. As part of his efforts to stem the tide, Demirkapi hacked together a way to automatically get the details revoked, making them useless to any hackers.
In a second strand to the research, Demirkapi also scanned data sources to find 66,000 websites with dangling subdomain issues, making them vulnerable to various attacks including hijacking. Some of the world’s biggest websites, including a development domain owned by The New York Times, had the weaknesses.
While the two security issues he looked into are well-known among researchers, Demirkapi says that turning to unconventional datasets, which are usually reserved for other purposes, allowed thousands of issues to be identified en masse and, if expanded, offers the potential to help protect the web at large.?
Get ahead with these recommended reads
The company has revealed details of AI model safety testing—including concerns about its new anthropomorphic interface, writes Will Knight and Reece Rogers .
The Smishing Triad network sends up to 100,000 scam texts per day globally. One of those messages went to Grant Smith, who infiltrated their systems and exposed them to US authorities, writes Matt Burgess .
领英推荐
There’s mounting evidence that GLP-1 drugs have health benefits beyond diabetes and weight loss, for conditions ranging from addiction to Parkinson’s—and scientists are evolving theories of why, writes Emily Mullin .
Susan Wojcicki is one of this era's great unsung executives—and was crucial to Google's trajectory from its very beginnings in her garage, writes Steven Levy .
Until next time
Energy leaders from across the EU will meet in Berlin to carve the path to rapid global energy transition. Join us on October 10th to witness energy innovation in action and collaborate with over 500 experts and thinkers on making a carbon-free energy system a reality.
WIRED subscribers get an exclusive 25% discount, use the code EXCLUSIVE25. All ticket proceeds go to the Energy Act for Ukraine Foundation
Find out more: energy-tech-summit.wired.com
Thank you for reading! We'll be back next Monday with another WIRED Start.
Until then, you can unlock unlimited access to WIRED’s content with a subscription .
Advisor - ISO/IEC 27001 and 27701 Lead Implementer - Named security expert to follow on LinkedIn in 2024 - MCNA - MITRE ATT&CK - LinkedIn Top Voice 2020 in Technology - All my content is sponsored
3 个月That's so #clowd !