Stanford study finds thousands of exposed API keys on public websites

• Most exposed secrets were embedded in JavaScript (84%), followed by HTML (8%) and JSON (7%), with AWS credentials comprising over 16% of verified leaks.

Security researchers at Stanford University scanned 10 million webpages and uncovered nearly 2,000 valid API credentials across 10,000 sites, exposing access to critical services including AWS, GitHub, Stripe, and OpenAI.

The findings, detailed in the preprint “Keys on Doormats: Exposed API Credentials on the Web,” warn that leaked keys grant programmatic access—often more dangerous than compromised usernames and passwords—potentially enabling large-scale data exfiltration and even real‑world harm.

Lead author and PhD candidate Nurullah Demir said that attackers could directly access cloud databases and key management systems; one global bank reportedly exposed cloud credentials on its own webpages. In another case, repository keys tied to firmware for drones and remote-controlled devices could have allowed adversaries to push malicious updates.

Most exposed secrets were embedded in JavaScript (84%), followed by HTML (8%) and JSON (7%), with AWS credentials comprising over 16% of verified leaks. While coordinated disclosures cut exposed keys by roughly 50%, researchers found many developers were unaware their credentials were public—and that exposures typically persist for about 12 months, sometimes years.

Why it matters:

• API keys often bypass UI safeguards, offering direct, automated access to sensitive resources.
• Leaks can cascade: from cloud takeover and data theft to supply-chain attacks via poisoned firmware or code.

What teams should do now:

• Remove secrets from client-side code; use server-side proxies and short-lived tokens.
• Enforce least privilege and key rotation; monitor usage anomalies.
• Add CI/CD secret scanning, SAST/DAST, and CSP to block rogue script sources.
• Implement incident playbooks for key revocation and attribution.

The researchers’ message is blunt: treat API keys like crown jewels—and assume the web will find anything left in plain sight.