API Key is a Key for Credential Leakage & Manipulation

Django is a Python-based framework that allows web developers to create and manage secure websites. Because it offers many shortcuts, this Python framework is a popular open-source option. These shortcuts can lead to security issues for many web developers.

Searching for Django web apps with enabled Debugg Mode revealed that Database accounts and API keys of over a thousand applications had been exposed online. Hackers can easily steal confidential information from corporates and personal documents. AI Spera’s CIP Team searched web apps such as Django or Laravel as well as related keywords in order to determine the extent of Credential leaked on Criminal IP. This comprehensive cyber threat intelligence search engine is used by AI Spera.

How do you define a credential?

In the dictionary credential is defined as “qualification” and refers generally to proof attesting one’s authority and rights, such as certificates and identification cards. The term Credential can also be used to describe Oauth environments, such as cloud environments, and Facebook where Access Key ID/Secret Key are required for social authentication. In recent days, the term Credential doesn’t necessarily mean authentication-related keys, but in a more comprehensive matter, IP information of internal cloud VPC networks.

Searching for Criminal IP Asset Search Credentials

When searching for authentication-related keywords (Access Key ID, Secret Access Key) on Criminal IP Asset Search, you can often find IPs with exposed credentials, many of which are of either Oauth or RESTfull API.

• 
  Access Key ID: Also known as Access Key. This is the username for general websites.
  
• 
  Secret Access Key, also known as the Secret Key refers to general website passwords.
  

The following Access Key types are used by Amazon Cloud.

Access Keys used in Amazon Cloud

Additionally, you can look for authentication-related information through a Bucket, storage often used in cloud services. This Bucket can be accessed by anyone and could lead to serious issues. To find buckets in read mode, the team searched for Bucket keyword.

"READ_BUCKET_NAME" 

You can search for the term “READ_BUCKET_NAME”, on Criminal IP to find 635 sites. You will also see websites called “NAVERCloud VOD Service” that are demo pages for uploading buckets. These websites also have access key IDs and secret keys that can be used to test file uploads. The problem is made worse by the fact that these websites are not unique.

Exposed access credential in HTML Body tag

Searching for Django Web Debug Mode Sites

For ease of development, PHP-based Laravel Frameworks and Python-based Django web apps often use Debug Modes. The Debug Mode is convenient, but it can also cause problems for Django and Laravel Framework as it opens sensitive information up to error messages.

This filter allows you to find websites that have enabled Django Debug Mode for Criminal IP Asset Search.

"DisallowedHost at"

Django Website with Enabled Debug Mode. This allows you to expose sensitive information to error messages

The HTTP request header exposed on the Django web application contains not only the API Key mentioned so far but also authentication-related information such as Admin and password, as well as DB account.

Django Website with sensitive information like admin passwords

Search Laravel sites with disabled Debug mode.

title: "Whoops! "There was an error!"

Search title result: “Whoops!” Search for Criminal IP Assets Error

Debug Mode activates in all searched IP addresses. You will see the information about APP key, DB account and password when accessed.

Laravel Website with sensitive information like passwords and DB accounts

Exposed Keys API in the Format of Text Files

You can search Asset Search for “APIKEY.txt” to find interesting results

APIKey.txt

Results when you search “APIKey.txt”, Criminal IP Asset Search

It’s hard to see the intended purpose of the website when you look at it. However, the page source gives you an idea of what this page actually is.

A website after searching for APIKey.txt

This page sources mentions that Firebase is used as its database. You can view the API Key, AuthDomain and AppID which were issued using Firebase SDK.

Source page of this website. Credentials have been exposed.

A website was also discovered by the team that seems to be China’s RESTfullAPI with an exposed Admin’s Access Token.

Chinese Website with exposed Admin Access Token

Many HTML files with Credentials are often displayed by criminal IP. These credentials can be either left unattended during testing, or simply forgotten. For example, the images shown below are HTML files containing Amazon Cloud Service (AWS), IAM Metadata and DynamoDB AWS Key.

1) HTML file with IAM Metadata. You can find user accounts.

HTML File displaying user accounts in the AWS IAM Metadata

2) HTML file using DYnamoDB (one of the most important AWS NoSQL server). Access Key ID, Secret Key and Credentials are all exposed.

DynamoDB Administrator

Results when searching AWS DynamoDB Administrator on Criminal IP Asset Search

Exposed access key in AWS DynamoDB WorkScript

Conclusion

Developer productivity is soaring thanks to cloud-native technologies. There have been concerns that security may be overlooked because the emphasis is so much on productivity.

Security used to be primarily about account management, such as password and username in the DB, but now there is API Keys that have “change” permission. This means one API Key can cause credential manipulation or leakage.

Security is also evolving rapidly with cloud-related technology. It is important to regularly check in with developers to ensure that they have the latest cyber security technology. We should also remember that in this cloud age, one small mistake, such as a setup error, can result in credential leakage. This could cause catastrophic security damage for both businesses and individuals.

About AI Spera

AI Spera, a company that specializes in cyber threat intelligence, is growing rapidly. It is built on machine learning and AI technologies and focuses on data-oriented security and abnormality detection. It provides Criminal IP and supports a variety of areas where Criminal IP protects against evolving cyber threats. This includes education, research, corporate security teams and white hackers. As many corporations, security researchers and security developers as possible are supported by the Company to see the attack surface from the perspective of an attacker. They also provide diverse AI-based security solutions for different industries.