Uncovering Online Secrets: The Work of Bill Demirkapi
There are tons of secrets you can find online if you know where to look. Since the fall of 2021, independent security researcher Bill Demirkapi has been leveraging overlooked sources of information to uncover security issues. His work includes automatically finding developer secrets that could compromise corporate systems and lead to data theft.
Revealing Leaked Secrets
At the Defcon security conference in Las Vegas, Demirkapi unveiled the results of his research, uncovering a multitude of leaked secrets and website vulnerabilities. Among the 15,000 developer secrets he found hardcoded into software, there were sensitive details related to organizations such as the Nebraska Supreme Court and Stanford University. Moreover, over a thousand API keys belonging to OpenAI customers were exposed.
Major organizations, including a smartphone maker and a cybersecurity firm, were among those inadvertently leaking secrets. As a response to this widespread issue, Demircapi developed a method to automatically revoke leaked details, rendering them useless to potential hackers.
Identifying Vulnerable Websites
In addition to leaked secrets, Demirkapi’s research also uncovered 66,000 websites with dangling subdomain issues, leaving them vulnerable to various attacks, including hijacking. Even prominent websites like those owned by The New York Times were found to have these vulnerabilities.
Demirkapi’s approach of looking at unconventional datasets and scaling up the search for vulnerabilities provides a unique perspective on cybersecurity. By identifying trivial classes of vulnerabilities at scale, he aims to assist in protecting entire networks from potential threats.
The Risks of Hardcoded Secrets
Developers often inadvertently include company secrets in their software or code, posing serious security risks. Alon Schindel, a security expert, highlights the dangers of hardcoded secrets, emphasizing the potential for data exfiltration, network hacking, and supply chain attacks.
Previous research has shown that thousands of secrets are leaked daily, underscoring the need for comprehensive security measures. Demirkapi’s innovative use of tools like VirusTotal showcases a proactive approach to identifying and addressing security vulnerabilities.