Django is a Python-based framework that allows web developers to create and manage secure websites. Because it offers many shortcuts, this Python framework is a popular open-source option. These shortcuts can lead to security issues for many web developers.
Searching for Django web apps with enabled Debugg Mode revealed that Database accounts and API keys of over a thousand applications had been exposed online. Hackers can easily steal confidential information from corporates and personal documents. AI Spera’s CIP Team searched web apps such as Django or Laravel as well as related keywords in order to determine the extent of Credential leaked on Criminal IP. This comprehensive cyber threat intelligence search engine is used by AI Spera.
How do you define a credential?
In the dictionary credential is defined as “qualification” and refers generally to proof attesting one’s authority and rights, such as certificates and identification cards. The term Credential can also be used to describe Oauth environments, such as cloud environments, and Facebook where Access Key ID/Secret Key are required for social authentication. In recent days, the term Credential doesn’t necessarily mean authentication-related keys, but in a more comprehensive matter, IP information of internal cloud VPC networks.
Searching for Criminal IP Asset Search Credentials
When searching for authentication-related keywords (Access Key ID, Secret Access Key) on Criminal IP Asset Search, you can often find IPs with exposed credentials, many of which are of either Oauth or RESTfull API.
Access Key ID: Also known as Access Key. This is the username for general websites.
Secret Access Key, also known as the Secret Key refers to general website passwords.
The following Access Key types are used by Amazon Cloud.
Access Keys used in Amazon Cloud
Additionally, you can look for authentication-related information through a Bucket, storage often used in cloud services. This Bucket can be accessed by anyone and could lead to serious issues. To find buckets in read mode, the team searched for Bucket keyword.
You can search for the term “READ_BUCKET_NAME”, on Criminal IP to find 635 sites. You will also see websites called “NAVERCloud VOD Service” that are demo pages for uploading buckets. These websites also have access key IDs and secret keys that can be used to test file uploads. The problem is made worse by the fact that these websites are not unique.
Exposed access credential in HTML Body tag
Searching for Django Web Debug Mode Sites
For ease of development, PHP-based Laravel Frameworks and Python-based Django web apps often use Debug Modes. The Debug Mode is convenient, but it can also cause problems for Django and Laravel Framework as it opens sensitive information up to error messages.
This filter allows you to find websites that have enabled Django Debug Mode for Criminal IP Asset Search.
Django Website with Enabled Debug Mode. This allows you to expose sensitive information to error messages
The HTTP request header exposed on the Django web application contains not only the API Key mentioned so far but also authentication-related information such as Admin and password, as well as DB account.
Django Website with sensitive information like admin passwords
Search Laravel sites with disabled Debug mode.
title: "Whoops! "There was an error!"
Search title result: “Whoops!” Search for Criminal IP Assets Error
Debug Mode activates in all searched IP addresses. You will see the information about APP key, DB account and password when accessed.
Laravel Website with sensitive information like passwords and DB accounts
Exposed Keys API in the Format of Text Files
You can search Asset Search for “APIKEY.txt” to find interesting results
Results when you search “APIKey.txt”, Criminal IP Asset Search
It’s hard to see the intended purpose of the website when you look at it. However, the page source gives you an idea of what this page actually is.
A website after searching for APIKey.txt
This page sources mentions that Firebase is used as its database. You can view the API Key, AuthDomain and AppID which were issued using Firebase SDK.
Source page of this website. Credentials have been exposed.
A website was also discovered by the team that seems to be China’s RESTfullAPI with an exposed Admin’s Access Token.
Chinese Website with exposed Admin Access Token
Many HTML files with Credentials are often displayed by criminal IP. These credentials can be either left unattended during testing, or simply forgotten. For example, the images shown below are HTML files containing Amazon Cloud Service (AWS), IAM Metadata and DynamoDB AWS Key.
1) HTML file with IAM Metadata. You can find user accounts.
HTML File displaying user accounts in the AWS IAM Metadata
2) HTML file using DYnamoDB (one of the most important AWS NoSQL server). Access Key ID, Secret Key and Credentials are all exposed.
Results when searching AWS DynamoDB Administrator on Criminal IP Asset Search
Exposed access key in AWS DynamoDB WorkScript
Developer productivity is soaring thanks to cloud-native technologies. There have been concerns that security may be overlooked because the emphasis is so much on productivity.
Security used to be primarily about account management, such as password and username in the DB, but now there is API Keys that have “change” permission. This means one API Key can cause credential manipulation or leakage.
Security is also evolving rapidly with cloud-related technology. It is important to regularly check in with developers to ensure that they have the latest cyber security technology. We should also remember that in this cloud age, one small mistake, such as a setup error, can result in credential leakage. This could cause catastrophic security damage for both businesses and individuals.
About AI Spera
AI Spera, a company that specializes in cyber threat intelligence, is growing rapidly. It is built on machine learning and AI technologies and focuses on data-oriented security and abnormality detection. It provides Criminal IP and supports a variety of areas where Criminal IP protects against evolving cyber threats. This includes education, research, corporate security teams and white hackers. As many corporations, security researchers and security developers as possible are supported by the Company to see the attack surface from the perspective of an attacker. They also provide diverse AI-based security solutions for different industries.