Security researcher Bill Demirkapi has been on a mission to uncover the secrets hidden in plain sight online. Since 2021, he has been developing methods to tap into vast data sources, often overlooked by researchers, to identify security vulnerabilities. His latest findings, unveiled at the Defcon security conference, reveal a staggering trove of leaked secrets and website vulnerabilities.
Demirkapi’s research has uncovered at least 15,000 developer secrets, including passwords, API keys, and authentication tokens, that could grant cybercriminals access to company systems and sensitive data. Among the exposed secrets are hundreds of username and password details linked to the Nebraska Supreme Court and its IT systems, as well as access credentials for Stanford University’s Slack channels. Additionally, over 1,000 API keys belonging to OpenAI customers were found to be exposed.
The list of affected organizations is long, with a major smartphone manufacturer, fintech company customers, and a multibillion-dollar cybersecurity company all inadvertently exposing sensitive information. Demirkapi has also developed a tool to automatically revoke these secrets, rendering them useless to hackers.
In a separate strand of research, Demirkapi scanned data sources to identify 66,000 websites with dangling subdomain issues, making them vulnerable to attacks such as hijacking. Notable websites, including a development domain owned by The New York Times, were found to have these weaknesses.
Demirkapi’s approach involves using unconventional datasets to identify security issues at scale. By doing so, he has uncovered thousands of vulnerabilities that might have otherwise gone undetected. “The goal has been to find ways to discover trivial vulnerability classes at scale,” Demirkapi explains. “I think that there’s a gap for creative solutions.”
According to Alon Schindel, vice president of AI and threat research at Wiz, it’s surprisingly easy for developers to accidentally expose their company’s secrets in software or code. These secrets can include passwords, encryption keys, API access tokens, cloud provider secrets, and TLS certificates. If exposed, these secrets can grant unauthorized access to a company’s code bases, databases, and other sensitive digital infrastructure.