Upon searching for Django web applications with enabled Debug Mode on Criminal IP (https://www.criminalip.io/), Database (hereinafter referred to as DB) accounts information and API Keys of more than 3,100 applications were found to be exposed on the internet. This implies that hackers are able to pocket corporate’s personal information and confidential documents without hassles. To evaluate the extent of credential leakage, the CIP team searched for web applications, including Django and Laravel, and relevant keywords associated with these platforms.
What is a Credential?
In the dictionary, credentials are defined as ‘qualification’ and generally refer to evidence attesting to one’s right and authority, such as your identification card and certificates. The term ‘credential’ is also used in cloud environments and OAuth systems, such as Facebook, where users may authenticate themselves by providing their Access Key ID and Secret Key. In recent days, the term Credential doesn’t necessarily mean authentication-related keys, but in a more comprehensive matter, to IP information of internal cloud VPC networks.
How to Search for Credentials on Criminal IP Asset Search
Searching for authentication-related keywords, such as Access Key ID and Secret Access Key, on Criminal IP Asset Search can often yield results of exposed credentials, including those used in OAuth or RESTful API authentication.
- Access Key ID: Corresponds to the ID for a regular website (a.k.a Access Key)
- Secret Access Key: Corresponds to the password for a regular website (a.k.a Secret Key)
For example, Access Key types used in Amazon Cloud consist of the following:
Types of Access Key used in Amazon Cloud
Additionally, you can look for authentication-related information through a Bucket, a storage often used in cloud services. If accessible, this Bucket could cause serious problems as anybody can steal undisclosed files from the server. We searched for the keyword Bucket to find buckets in read mode.
“READ_BUCKET_NAME”
Upon searching for “READ_BUCKET_NAME” on Criminal IP, you can find a total of 635 websites. Among them, you can also find websites named “NAVERCloud VOD Service TBD,” which are assumed to be demo pages of uploading buckets for NAVER Cloud users. However, these websites have exposed demo Endpoint domain addresses, Access Key IDs, and Access Secret Keys for file upload testing when they were supposed to be hidden. What exacerbates the problem is that there are way more websites like this.
Exposed Access Credential under HTML Body tag
How to Search for Debug Mode Sites of Django Web Application on Criminal IP Asset Search
Debug Modes are often used by PHP-based Laravel Framework and python-based Django web applications for convenience in development. Despite Debug Mode’s convenience, it also poses a problem for both Laravel Framework and Django web applications, as it exposes sensitive information in error messages when activated.
You can use the following filter to search for websites with enabled Django Debug Mode on Criminal IP Asset Search.
“DisallowedHost at“
Django website with enabled Debug Mode, exposing sensitive information to error messages
The HTTP request header exposed on a Django web application contains not only the API Key mentioned previously, but also other authentication-related information such as admin and password credentials and DB account information.
Django website with exposed sensitive information such as Admin and passwords
You can also look for Laravel websites with enabled Debug mode with the filter below.
title: “Whoops! There was an error”
Result when searched title: “Whoops! There was an error” on Criminal IP Asset Search
Laravel Debug Mode is activated in all of these searched IP addresses, and when accessed, you will be able to see information on APP Key, DB account, and password in the error message.
Laravel website with exposed sensitive information such as DB accounts and passwords
Exposed API Keys in the Form of Text Files
If you search for ‘APIKEY.txt’ on Asset Search, you can find something intriguing.
APIKey.txt
Result when searching “APIKey.txt” on Criminal IP Asset Search
If you visit the above site that appeared when you searched for “APIKey.txt” in Asset Search, the screen below is displayed, so you cannot know what the site is for. The page source, however, gives you a clear sense of what this page is all about.
Website access screen found through APIKey.txt search
The page source reveals that this website uses Firebase as its database, and under Firebase Configuration, you can see the API Key, AuthDomain, and AppID issued while using the Firebase SDK.
Page source of the website above. Credentials are exposed.
We have also found a website that appears to be China’s RESTful API with exposed Admin’s Access Token hash.
A Chinese website with exposed Admin Access Token hash
Criminal IP Asset Search often displays HTML files containing credentials that may have been left unattended due to testing or by mistake. The images below, for example, are HTML files with Amazon Cloud Service (AWS) IAM Metadata or DynamoDB AWS Key.
1) HTML file with IAM Metadata. User Accounts are found.
HTML file displaying User Accounts in the AWS IAM Metadata
2) HTML file with DynamoDB, one of the major AWS NoSQL servers. Credentials, including Access Key ID and Secret Key, are exposed.
DynamoDB Admin
Result when searched AWS DynamoDB Admin on Criminal IP Asset Search
Exposed Access Key in the AWS DynamoDB Work Script
Conclusion
Thanks to cloud-native technology, developers’ productivity has been increasing remarkably. However, as the focus is greatly on productivity, there have been voices of concern that security is considered a low priority.
In the past, security was mainly concerned with managing account credentials, such as usernames and passwords stored in a database. However, with the rise of cloud computing, API keys have become an important aspect of security, granting permissions to perform actions like modifying data or resources. Unfortunately, a single leaked API key can lead to credential leakage or manipulation.
As cloud technologies advance rapidly, so does the need for robust security measures. Regular check-ins with developers are essential to ensure that they are up-to-date with cybersecurity technologies. It is important to remember that in the cloud era, even a small mistake, such as a setup error, can have disastrous consequences, potentially leading to credential leakage and significant security breaches for individuals and businesses. Therefore, it is crucial to prioritize security and take proactive steps to prevent such incidents.
Source : Criminal IP (https://www.criminalip.io)
[…] submitted by /u/johnshelby433 [link] […]
[…] View Reddit by Late_Ice_9288 – View Source […]
[…] As seen in the example above, FCM’s default welcome page is currently exposed to the open web. This webpage at times contains Instance ID Token information, also known as the app ID value. Having these token values/API keys leaked can become the root cause of a serious cyber attack. You can read more about this on our blog, where we cover how API keys can be a party to credential leakage. […]
[…] Neglected Redis Commander servers, therefore, can be the root cause of serious data leaks and hacking incidents. For more information about this issue, see API Key, a Key to Credential Leakage & Manipulation. […]
[…] Read more about API Key vulnerabilities and information leaks by reading this article about API Key leaks on Django. […]
[…] API Key, a Key to Credential Leakage & Manipulation […]
[…] As seen in the example above, FCM’s default welcome page is currently exposed to the open web. This default page sometimes contains Instance ID Token information, also known as the app ID value. Having these token values/API keys leaked can become the root cause of a serious cyber attack. You can read more about this on our blog, where we cover how API keys can be a party to credential leakage. […]