15,000 secrets; 66,000 vulnerabilities: How one hacker found them all
What's the story
Bill Demirkapi is not your average security researcher. Utilizing unconventional methods, this digital detective has exposed vulnerabilities in some of the world's biggest companies. Now, at Defcon security conference in Las Vegas, he has exposed 15,000 hardcoded secrets and 66,000 vulnerable websites by going through overlooked data sources. These include login info for Stanford University's Slack channels, and over a thousand API keys belonging to OpenAI customers. To prevent misuse, Demirkapi has devised a method to invalidate the exposed details.
Website vulnerabilities
Demirkapi identified 66,000 websites with dangling subdomain issues
In addition to the exposed secrets, Demirkapi identified websites with dangling subdomain issues. These vulnerabilities could allow cybercriminals to hijack these sites. Among the vulnerable websites were some of the world's biggest platforms, including a development domain owned by The New York Times.
Research method
Using unconventional datasets for research
Demirkapi used unconventional datasets in his research to identify these issues on a large scale. He believes that expanding this approach could help protect the web at large. "The goal has been to find ways to discover trivial vulnerability classes at scale," Demirkapi said to WIRED, adding, "I think that there's a gap for creative solutions."
Process
He used VirusTotal's Retrohunt feature for scanning
Demirkapi used Google-owned website VirusTotal's Retrohunt feature to scan a year's worth of uploaded files for potential malware. He scanned over 1.5 million samples for secrets and validated that the patterns he found were active secret keys. His research resulted in the discovery of over 15,000 active secrets of all kinds.
Reporting hurdles
Demirkapi faced challenges in reporting the exposed secrets
Despite his significant findings, Demirkapi encountered difficulties in reporting the exposed secrets. While he was able to directly report some to the impacted companies, others were not as cooperative. For instance, Amazon Web Services refused to provide him access to its existing reporting tools. To circumvent this, Demirkapi began uploading the secrets to GitHub to trigger the company's secret scanning and get them reported.