Thousands of websites are accidentally broadcasting sensitive data, study finds
techxplore.com
Researchers have discovered a major security leak hiding in plain sight on the internet that could expose the personal data and financial records of millions of people. In a paper published on the arXiv preprint server, Nurullah Demir of Stanford University and colleagues analyzed 10 million websites to see how often API (application programming interfaces) credentials are exposed. These are digital keys or tokens that enable different software programs to communicate and are often used to process bank payments and access cloud storage.
  • Australis13@fedia.io
    6·
    4 days ago

    Sigh. Don’t hardcode credentials in scripts, especially client-facing ones! If you must have credentials in plaintext on a file system, at least do something like PostgreSQL’s pgpass file (and don’t commit it to your version control system, or have it accessible via your web server!) with the appropriate user permissions set on it.

  • epyon22@sh.itjust.worksEnglish
    6·
    4 days ago

    Remember when writing a client side JavaScript application all that code is transferred to the client machine and executed. Don’t put any sensitive code or strings in that code.

    • folekaule@lemmy.worldEnglish
      4·
      4 days ago

      Yep. Use free tools like gitguardian, gitleaks, etc. and run them in pre-commit hooks. Makes it a lot easier to catch.

      And if you leak one by accident, change it immediately. There are bots trolling sites and repos for this information.