Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label API Keys. Show all posts
Google Gemini
API Keys Data Breach Data Leak Google Gemini

Google API Keys Expose Gemini AI Data via Leaked Credentials

 

Google API keys, once considered harmless when embedded in public websites for services like Maps or YouTube, have turned into a serious security risk following the integration of Google's Gemini AI assistant. Security researchers at Truffle Security uncovered this issue, revealing that nearly 3,000 live API keys—prefixed with "AIza"—are exposed in client-side JavaScript code across popular sites.

Truffle Security's scan of the November 2025 Common Crawl dataset, which captures snapshots of major websites, identified 2,863 active keys from diverse sectors including finance, security firms, and even Google's own infrastructure. These keys, deployed sometimes years ago (one traced back to February 2023), were originally safe as mere billing identifiers but gained unauthorized access to Gemini endpoints without developers' knowledge.Attackers can simply copy a key from page source, authenticate to Gemini, and extract sensitive data like uploaded files, cached contexts, or datasets via simple prompts.

The danger extends beyond data theft to massive financial abuse, as Gemini API calls consume tokens that rack up charges—potentially thousands of dollars daily per compromised account, depending on the model and context window. Truffle Security demonstrated this by querying the /models endpoint with exposed keys, confirming access to private Gemini features. One reported case highlighted an $82,314 bill from a stolen key, underscoring the real-world impact.

Google acknowledged the flaw as "single-service privilege escalation" after Truffle's disclosure on November 21, 2025, and implemented fixes by January 2026, including blocking leaked keys from Gemini access, defaulting new AI Studio keys to Gemini-only scope, and sending proactive leak notifications. Despite these measures, the "retroactive privilege expansion" caught many off-guard, as enabling Gemini in projects silently empowered old keys.

Developers must immediately audit Google Cloud projects for Gemini API enablement, rotate all exposed keys, and restrict scopes to essentials—avoiding the default "unrestricted" setting. Tools like TruffleHog can scan code repositories for leaks, while regular monitoring prevents future exposures in an era where AI services amplify API risks. This incident highlights the need for vigilance as cloud features evolve.
Read more »
JavaScript
API Keys Cyber Attacks Gemini CyberCrime Data Exposure Google Cloud JavaScript

Publicly Exposed Google Cloud API Keys Gain Unintended Access to Gemini Services

 










A recent security analysis has revealed that thousands of Google Cloud API keys available on the public internet could be misused to interact with Google’s Gemini artificial intelligence platform, creating both data exposure and financial risks.

Google Cloud API keys, often recognizable by the prefix “AIza,” are typically used to connect websites and applications to Google services and to track usage for billing. They are not meant to function as high-level authentication credentials. However, researchers from Truffle Security discovered that these keys can be leveraged to access Gemini-related endpoints once the Generative Language API is enabled within a Google Cloud project.

During their investigation, the firm identified nearly 3,000 active API keys embedded directly in publicly accessible client-side code, including JavaScript used to power website features such as maps and other Google integrations. According to security researcher Joe Leon, possession of a valid key may allow an attacker to retrieve stored files, read cached content, and generate large volumes of AI-driven requests that would be billed to the project owner. He further noted that these keys can now authenticate to Gemini services, even though they were not originally designed for that purpose.

The root of the problem lies in how permissions are applied when the Gemini API is activated. If a project owner enables the Generative Language API, all existing API keys tied to that project may automatically inherit access to Gemini endpoints. This includes keys that were previously embedded in publicly visible website code. Critically, there is no automatic alert notifying users that older keys have gained expanded capabilities.

As a result, attackers who routinely scan websites for exposed credentials could capture these keys and use them to access endpoints such as file storage or cached content interfaces. They could also submit repeated Gemini API requests, potentially generating substantial usage charges for victims through quota abuse.

The researchers also observed that when developers create a new API key within Google Cloud, the default configuration is set to “Unrestricted.” This means the key can interact with every enabled API within the same project, including Gemini, unless specific limitations are manually applied. In total, Truffle Security reported identifying 2,863 active keys accessible online, including one associated with a Google-related website.

Separately, Quokka published findings from a large-scale scan of 250,000 Android applications, uncovering more than 35,000 unique Google API keys embedded in mobile software. The company warned that beyond financial abuse through automated AI requests, organizations must consider broader implications. AI-enabled endpoints can interact with prompts, generated outputs, and integrated cloud services in ways that amplify the consequences of a compromised key.

Even in cases where direct customer records are not exposed, the combination of AI inference access, consumption of service quotas, and potential connectivity to other Google Cloud resources creates a substantially different risk profile than developers may have anticipated when treating API keys as simple billing identifiers.

Although the behavior was initially described as functioning as designed, Google later confirmed it had collaborated with researchers to mitigate the issue. A company spokesperson stated that measures have been implemented to detect and block leaked API keys attempting to access Gemini services. There is currently no confirmed evidence that the weakness has been exploited at scale. However, a recent online post described an incident in which a reportedly stolen API key generated over $82,000 in charges within a two-day period, compared to the account’s typical monthly expenditure of approximately $180.

The situation remains under review, and further updates are expected if additional details surface.

Security experts recommend that Google Cloud users audit their projects to determine whether AI-related APIs are enabled. If such services are active and associated API keys are publicly accessible through website code or open repositories, those keys should be rotated immediately. Researchers advise prioritizing older keys, as they are more likely to have been deployed publicly under earlier guidance suggesting limited risk.

Industry analysts emphasize that API security must be continuous. Changes in how APIs operate or what data they can access may not constitute traditional software vulnerabilities, yet they can materially increase exposure. As artificial intelligence becomes more tightly integrated with cloud services, organizations must move beyond periodic testing and instead monitor behavior, detect anomalies, and actively block suspicious activity to reduce evolving risk.

Read more »
Technology
API Keys cyber intrusion Data Breach LLM Technology

How Poorly Secured Endpoints Are Expanding Risk in LLM Infrastructure

 


As organizations build and host their own Large Language Models, they also create a network of supporting services and APIs to keep those systems running. The growing danger does not usually originate from the model’s intelligence itself, but from the technical framework that delivers, connects, and automates it. Every new interface added to support an LLM expands the number of possible entry points into the system. During rapid rollouts, these interfaces are often trusted automatically and reviewed later, if at all.

When these access points are given excessive permissions or rely on long-lasting credentials, they can open doors far wider than intended. A single poorly secured endpoint can provide access to internal systems, service identities, and sensitive data tied to LLM operations. For that reason, managing privileges at the endpoint level is becoming a central security requirement.

In practical terms, an endpoint is any digital doorway that allows a user, application, or service to communicate with a model. This includes APIs that receive prompts and return generated responses, administrative panels used to update or configure models, monitoring dashboards, and integration points that allow the model to interact with databases or external tools. Together, these interfaces determine how deeply the LLM is embedded within the broader technology ecosystem.

A major issue is that many of these interfaces are designed for experimentation or early deployment phases. They prioritize speed and functionality over hardened security controls. Over time, temporary testing configurations remain active, monitoring weakens, and permissions accumulate. In many deployments, the endpoint effectively becomes the security perimeter. Its authentication methods, secret management practices, and assigned privileges ultimately decide how far an intruder could move.

Exposure rarely stems from a single catastrophic mistake. Instead, it develops gradually. Internal APIs may be made publicly reachable to simplify integration and left unprotected. Access tokens or API keys may be embedded in code and never rotated. Teams may assume that internal networks are inherently secure, overlooking the fact that VPN access, misconfigurations, or compromised accounts can bridge that boundary. Cloud settings, including improperly configured gateways or firewall rules, can also unintentionally expose services to the internet.

These risks are amplified in LLM ecosystems because models are typically connected to multiple internal systems. If an attacker compromises one endpoint, they may gain indirect access to databases, automation tools, and cloud resources that already trust the model’s credentials. Unlike traditional APIs with narrow functions, LLM interfaces often support broad, automated workflows. This enables lateral movement at scale.

Threat actors can exploit prompts to extract confidential information the model can access. They may also misuse tool integrations to modify internal resources or trigger privileged operations. Even limited access can be dangerous if attackers manipulate input data in ways that influence the model to perform harmful actions indirectly.

Non-human identities intensify this exposure. Service accounts, machine credentials, and API keys allow models to function continuously without human intervention. For convenience, these identities are often granted broad permissions and rarely audited. If an endpoint tied to such credentials is breached, the attacker inherits trusted system-level access. Problems such as scattered secrets across configuration files, long-lived static credentials, excessive permissions, and a growing number of unmanaged service accounts increase both complexity and risk.

Mitigating these threats requires assuming that some endpoints will eventually be reached. Security strategies should focus on limiting impact. Access should follow strict least-privilege principles for both people and systems. Elevated rights should be granted only temporarily and revoked automatically. Sensitive sessions should be logged and reviewed. Credentials must be rotated regularly, and long-standing static secrets should be eliminated wherever possible.

Because LLM systems operate autonomously and at scale, traditional access models are no longer sufficient. Strong endpoint privilege governance, continuous verification, and reduced standing access are essential to protecting AI-driven infrastructure from escalating compromise.

Read more »
leaked sensitive data
API Keys Data Breach Data Leak Data protection Data Safety User Data data security leaked sensitive data

Critical better-auth Flaw Enables API Key Account Takeover

 

A flaw in the better-auth authentication library could let attackers take over user accounts without logging in. The issue affects the API keys plugin and allows unauthenticated actors to generate privileged API keys for any user by abusing weak authorization logic. Researchers warn that successful exploitation grants full authenticated access as the targeted account, potentially exposing sensitive data or enabling broader application compromise, depending on the user’s privileges. 

The better-auth library records around 300,000 weekly downloads on npm, making the issue significant for applications that rely on API keys for automation and service-to-service communication. Unlike interactive logins, API keys often bypass multi-factor authentication and can remain valid for long periods. If misused, a single key can enable scripted access, backend manipulation, or large-scale impersonation of privileged users. 

Tracked as CVE-2025-61928, the vulnerability stems from flawed logic in the createApiKey and updateApiKey handlers. These functions decide whether authentication is required by checking for an active session and the presence of a userId in the request body. When no session exists but a userId is supplied, the system incorrectly skips authentication and builds user context directly from attacker-controlled input. This bypass avoids server-side validation meant to protect sensitive fields such as permissions and rate limits. 

In practical terms, an attacker can send a single request to the API key creation endpoint with a valid userId and receive a working key tied to that account. The same weakness allows unauthorized modification of existing keys. Because exploitation requires only knowledge or guessing of user identifiers, attack complexity is low. Once obtained, the API key allows attackers to bypass MFA and operate as the victim until the key is revoked. 

A patched version of better-auth has been released to fix the authorization checks. Organizations are advised to upgrade immediately, rotate potentially exposed API keys, review logs for suspicious unauthenticated requests, and tighten key governance through least-privilege permissions, expiration policies, and monitoring. 

The incident highlights broader risks tied to third-party authentication libraries. Authorization flaws in widely adopted components can silently undermine security controls, reinforcing the need for continuous validation, disciplined credential management, and zero-trust approaches across modern, API-driven environments.
Read more »
Software
API Keys AWS Cyber Attacks Salesloft Software

Salesloft Integration Breach Exposes Salesforce Customer Data


 

A recent cyber incident has brought to light how one weak link in software integrations can expose sensitive business information. Salesloft, a sales automation platform, confirmed that attackers exploited its Drift chat integration with Salesforce to steal tokens that granted access to customer environments.

Between August 8 and August 18, 2025, threat actors obtained OAuth and refresh tokens connected to the Drift–Salesforce integration. These tokens work like digital keys, allowing connected apps to access Salesforce data without repeatedly asking for passwords. Once stolen, the tokens were used to log into Salesforce accounts and extract confidential data.

According to Salesloft, the attackers specifically searched for credentials such as Amazon Web Services (AWS) keys, Snowflake access tokens, and internal passwords. The company said the breach only impacted customers who used the Drift–Salesforce connection, while other integrations were unaffected. As a precaution, all tokens for this integration were revoked, forcing customers to reauthenticate before continuing use.

Google’s Threat Intelligence team, which is monitoring the attackers under the name UNC6395, reported that the group issued queries inside Salesforce to collect sensitive details hidden in support cases. These included login credentials, API keys, and cloud access tokens. Investigators noted that while the attackers tried to cover their tracks by deleting query jobs, the activity still appears in Salesforce logs.

To disguise their operations, the hackers used anonymizing tools like Tor and commercial hosting services. Google also identified user-agent strings and IP addresses linked to the attack, which organizations can use to check their logs for signs of compromise.

Security experts are urging affected administrators to rotate credentials immediately, review Salesforce logs for unusual queries, and search for leaked secrets by scanning for terms such as “AKIA” (used in AWS keys), “Snowflake,” “password,” or “secret.” They also recommend tightening access controls on third-party apps, limiting token permissions, and shortening session times to reduce future risk.

While some extortion groups have publicly claimed responsibility for the attack, Google stated there is no clear evidence tying them to this breach. The investigation is still ongoing, and attribution remains uncertain.

This incident underlines the broader risks of SaaS integrations. Connected apps are often given high levels of access to critical business platforms. If those credentials are compromised, attackers can bypass normal login protections and move deeper into company systems. As businesses continue relying on cloud applications, stronger governance of integrations and closer monitoring of token use are becoming essential.




Read more »
Spyware
API Keys Cybersecurity Data Breach Developers malware npm packages open-source phishing Software Supply Chain Spyware

Rise in Data-Stealing Malware Targeting Developers, Sonatype Warns

 

A recent report released on April 2 has uncovered a worrying rise in open-source malware aimed at developers. These attacks, described as “smash and grab” operations, are designed to swiftly exfiltrate sensitive data from development environments.

Brian Fox, co-founder and CTO of Sonatype, explained that developers are increasingly falling victim to deceptive software packages. Once installed, these packages execute malicious code to harvest confidential data such as API keys, session cookies, and database credentials—then transmit it externally.

“It’s over in a flash,” Fox said. “Many of the times, people don’t recognize that this was even an attack.”

Sonatype, a leader in software supply-chain security, revealed that 56% of malware identified in Q1 2025 focused on data exfiltration. These programs are tailored to extract sensitive information from compromised systems. This marks a sharp increase from Q4 2024, when only 26% of open-source threats had such capabilities. The company defines open-source malware as “malicious code intentionally crafted to target developers in order to infiltrate and exploit software supply chains.”

Fox emphasized that these attacks often begin with spear phishing tactics—posing as legitimate software packages on public repositories. Minor changes, such as replacing hyphens with underscores in filenames, can mislead even seasoned developers.

“The attackers fake the number of downloads. They fake the stars so it can look as legit as the original one, because there’s not enough awareness. [Developers] are not yet trained to be skeptical,” Fox told us.

These stolen data fragments—while small—can have massive consequences. API keys, hashed passwords, and cookie caches serve as backdoors for broader attacks.

“They’re breaking into the janitor’s closet, not to put in a bomb, but to grab his keychain, and then they’re going to come back at night with the keychain,” Fox said.

The 2025 report highlights early examples:

Compromised JavaScript packages on npm were found to steal environment variables, which typically contain API tokens, SSH credentials, and other sensitive information.

A fake npm extension embedded spyware that enabled complete remote access.

Malicious packages targeted cryptocurrency developers, deploying Windows trojans capable of keylogging and data exfiltration. These packages had over 1,900 downloads collectively.

A separate report published by Sonatype in November 2024 reported a 156% year-over-year surge in open-source malware. Since October 2023, over 512,847 malicious packages have been identified—including but not limited to data-exfiltrating malware.
Read more »
Troy Hunt
API Keys Credential Phishing Cyber Attacks CyberCrime Cybersecurity CyberThreat Have I Been Pwned Troy Hunt

HaveIBeenPwned Founder Compromised in Phishing Incident

 


The cybersecurity expert Troy Hunt, who founded the data breach notification platform Have I Been Pwned, recently revealed that he had been the victim of a phishing attack that was intended to compromise his subscriber list for the attacker to gain access to his data. Hunt explained the circumstances surrounding this incident in a detailed blog post, and provided screenshots of the deceptive email which enabled the attack to succeed.

In the fraudulent message, the author impersonated Mailchimp, a legitimate email marketing company, and embedded a hyperlink that was directed to a nearly identical, but fraudulent domain, which was a common phishing attack. It was very difficult to distinguish at a glance between the spoofed and authentic domains, which is why MailChimp-sso.com (now deactivated) is so closely similar. In Hunt's case, he acknowledged that he was severely fatigued at the time of the attack, which made it harder for him to act correctly. He also mentioned that he was experiencing jet lag at the time of the attack. 

In response to the email, he accidentally entered his credentials along with the one-time password, which was used for authentication. However, the fraudulent webpage did not proceed to the expected interface as he expected, signalling that the attack had been carried out. As a result of this incident, phishing scams represent a very prevalent risk, which underscores the importance of maintaining constant vigilance, even among cybersecurity professionals.

As soon as Troy Hunt discovered that he had been victimized by a phishing scam, he reset his password and reviewed his account activity immediately. However, since the phishing attack was highly automated, his credentials were already exfiltrated by the time he could respond. Although Hunt has extensive cybersecurity experience, this particular phishing attempt proved to be extremely successful. 

Hunt attributes the success to both his exhaustion after a long flight, as well as the sophistication of the email that was intended to fool others. According to him, the phish was "well-crafted" and was subtly manipulating psychological triggers. In the email, rather than utilizing overt threats or excessive urgency, it was suggested that he would not be able to send newsletters unless he took action. It was thus possible to send the email with just the right amount of apprehension to prompt action without creating suspicions. 

As a result, Hunt, the founder of the Have I Been Pwned platform, a platform that alerts people to compromised credentials, has taken steps to ensure that the information exposed in this incident will be incorporated into his platform in the future, which he hopes will lead to improved performance. A direct notification will be sent to individuals who have been affected by the breach, including both current subscribers and those who have already unsubscribed but are still impacted by the breach. 

Troy Hunt, a cybersecurity expert who runs a blog dedicated to cyber security and privacy, was targeted on March 25, 2018, by a phishing attack that compromised subscriber data from his blog. The attack originates from an email that impersonates Mailchimp, the platform he uses for sending out blog updates via email. According to the fraudulent message, his account had been suspended temporarily because of a spam complaint and he was required to login in order to resolve it.

The fake email made it look authentic by threatening disruption of service and creating a sense of urgency. Hunt was unable to distinguish this attack despite his extensive experience in identifying similar scams, as he was fatigued and jet lag affected his judgment in the process. In his attempt to log in with the email's link, he noticed an anomaly-his password manager did not automatically fill in his credentials. As a result, this could indicate that the website is fraudulent, but this is not a definitive indication, since legitimate services sometimes require a login from a different domain in some cases. 

As a result of the attack, approximately 16,000 email records were successfully exfiltrated, including those of active and unsubscribed readers alike. It is the result of Mailchimp's policy of retaining unsubscribed user information, a practice that is now being reviewed. There were emails, subscription statuses, IP addresses, location metadata and email addresses included in the compromised data, though the geolocation data did not pinpoint subscriber locations specifically. 

When the breach was discovered, immediate steps were taken to prevent further damage from occurring. It was determined that the attacker's API key would be revoked by Mailchimp, and the phishing website would be taken offline once the password was reset. Founder of Have I Been Pwned, a platform that tracks data breaches, Hunt has now added this incident to its database, making sure that affected users have been made aware of the incident. 

As phishing has become increasingly sophisticated over the years, it has moved beyond stereotypical poorly worded emails and implausible requests, moving into new levels of complexity. Cybercriminals today employ extremely sophisticated tactics that take advantage of human psychology, making it more and more difficult for consumers to distinguish between legitimate and fraudulent communications. The recent incident highlights the growing risks associated with targeted phishing attacks, as well as the importance of cybersecurity awareness and defense. 

Key Insights and Takeaways:

Psychological Manipulation and the Subtle Use of Urgency 

The majority of phishing emails are crafted to create a feeling of immediate panic, such as threats of account suspension or urgent payment requests, causing immediate panic within the target. However, modern attackers have honed their strategies, utilizing subtle psychological strategies to weaken the defences of their targets. As a matter of fact, in this case, the fraudulent email implied a very minor yet urgent issue: that the newsletter could not be sent. To manipulate the recipient into taking action, the email created just enough concern without raising suspicions, which led the recipient to respond to the email effectively. It is therefore imperative to recognize psychological manipulation in social engineering attacks, even for small requests that are relatively urgent, especially when it comes to logging into an account or updating one's credentials, to be viewed with suspicion. 

Password Manager Behavior as a Security Indicator 

In this attack, several red flags were pointing at Hunt's password manager's behaviour. Password managers are designed to recognize and auto-fill credentials only when they are used on legitimate websites. It should have been a warning sign in this case that the credentials of the user failed to automatically populate on the website, which could have indicated the website was fraudulent. By paying close attention to their password manager behaviour, users will be able to become more aware of security risks associated with their password manager. The site may be a spoofed one if the credentials are not automatically filled. Instead of entering the login details manually, users should double-check the source of the website and confirm it is authentic before proceeding with the transaction. 

The Limitations of One-Time Passwords (OTPs) in Phishing Attacks 

The multi-factor authentication (MFA) technique is widely considered to be one of the best security measures available, but it is not immune to phishing attacks. In this case, the attackers also requested Hunt to provide a password along with an OTP after he provided his username and password. Once he provided the password, the attackers gained access to his legitimate account immediately. 

A major weakness of OTP-based authentication is the inability to protect against real-time phishing attacks, where credentials are stolen and used instantly. The risk can be mitigated by requiring users to enter OTPs when they see sites that look suspicious or differ slightly from their usual login flow. Users are advised to be cautious when they are asked to enter OTP.

Passkeys as a Stronger, Phishing-Resistant Alternative There is no better way to authenticate a user than using passkeys, which are cryptographic credentials linked to the device of a user instead of traditional passwords. Passkeys are based on biometric authentication, for example, fingerprints, facial recognition, or even on-device authentication mechanisms. 

As passkeys are not associated with manually entering credentials, they have a much higher resistance to phishing attacks than traditional passwords. Passkeys work on the trust-based model, unlike passwords and OTPs, where they require physical access to the device registered for authentication. In contrast to traditional login methods, passkeys are a powerful alternative that can be used in place of traditional login methods and can serve as a valuable defence against phishing attempts as well. 

The Importance of Continuous Security Awareness 


Despite their expertise, even cybersecurity experts can be susceptible to sophisticated attacks, highlighting the importance of maintaining constant vigilance. The best way to enhance your security is to verify URLs carefully – Keep an eye out for slight misspellings or variations in URLs, as attackers are often able to create a lookalike URL by using security keys or passkeys. By using hardware-based authentication, such as YubiKeys, or passkeys, you can be assured that your information will be secure. If anyone receives a suspicious email asking for login credentials, security updates, or sensitive actions, be cautious and verify the message separately. 

Using Advanced Threat Protection – Organizations should take advantage of tools powered by artificial intelligence that are capable of detecting phishing attempts and blocking them in real-time. Educating Employees and Individuals – By attending regular cybersecurity training, you can become aware of the ever-evolving tactics used by phishing websites, minimizing the chances of human error. 

Although it is not possible to ensure complete protection against phishing attacks with just one security measure, adopting a multi-layered approach, a combination of awareness, technological safeguards, and behavioural vigilance, can greatly reduce your chances of becoming a victim of the attack. Despite being an experienced cybersecurity professional, even the most experienced individuals are not immune to social engineering techniques as demonstrated by the Troy Hunt incident. 

There was a significant contribution of fatigue and reduced attentiveness in this case, leading to a misjudgment that was essentially avoidable. It is known that social engineering can be extremely effective when it is employed in the right circumstances to reach the right people at the right time, resulting in a misjudgment that could have been avoided if it had been implemented correctly. The incident illustrates the way cybercriminals are using human weaknesses to achieve their objectives by exploiting human vulnerabilities. 

According to Aditi Gupta, a principal security consultant at Black Duck, attackers use a variety of tactics to manipulate unsuspecting victims, such as fear, urgency, and fatigue, to fool inexperienced people, reinforcing the theory that no one can escape sophisticated phishing schemes altogether. However, Hunt has been praised for being transparent in sharing his experience, which has served as a powerful tool for educating others about the risks associated with cybersecurity, despite the setbacks he has experienced. 

Despite admitting that he had made mistakes, he also expressed concern about Mailchimp’s security practices, especially the fact that the company did not offer two-factor authentication that is phishing resistant and kept intact for years to come. Cyber threats are not only mitigated through continuous vigilance, robust authentication mechanisms, and organizational responsibility, but also through continuous vigilance, robust authentication mechanisms, and organizational responsibility. 

The threat of social engineering attacks continues to increase and to remain protected from these attacks, it is imperative to strengthen security protocols, eliminate conventional authentication methods, and maintain cybersecurity awareness throughout the organization.
Read more »
iOS
API Keys App security cloud storage Cybersecurity Data Breach Data Leak Encryption Hardcoded Secrets iOS

Thousands of iOS Apps Expose Sensitive Data Through Hardcoded Secrets, Researchers Warn

 

Cybersecurity researchers have uncovered alarming vulnerabilities in thousands of iOS applications, revealing that hardcoded secrets in their code have put users' sensitive information at risk.

A recent analysis by Cybernews examined over 156,000 iOS apps and detected more than 815,000 hardcoded secrets—some of which are highly sensitive and could potentially lead to security breaches or data leaks.

The term "secret" broadly refers to sensitive credentials like API keys, passwords, and encryption keys. These are often embedded directly into an app’s source code for convenience during development, but developers sometimes fail to remove them before release. According to Cybernews, the average iOS app exposes 5.2 secrets, and 71% of apps contain at least one leaked credential.

While some of these hardcoded secrets pose minimal risk, the report highlights serious threats. Researchers identified over 83,000 cloud storage endpoints, with 836 exposed without authentication, potentially leaking more than 400TB of data. Additionally, 51,000 Firebase endpoints were discovered, thousands of which were accessible to outsiders. Other exposed credentials include API keys for platforms like Fabric API, Live Branch, and MobApp Creator.

Among the most critical findings were 19 hardcoded Stripe secret keys, which directly control financial transactions. Cybernews researchers emphasized the severity of this issue, stating: “Stripe is widely used by e-commerce and even fintech companies to handle online payments.”

This vulnerability could allow cybercriminals to manipulate transactions or gain unauthorized access to payment infrastructure.

The findings challenge the common belief that iOS apps offer stronger security compared to other platforms.

“Many people believe that iOS apps are more secure and less likely to contain malware. However, our research shows that many apps in the ecosystem contain easily accessible hardcoded credentials. We followed the trail and found open databases with personal data and accessible infrastructure,” said Aras Nazarovas, a security researcher at Cybernews.

This study underscores the importance of secure coding practices and urges developers to adopt better security protocols to prevent data breaches and unauthorized access.


Read more »
User Privacy
API Keys Apple Cryptography Cyber Security Google Passkey Password Phishing Scams Platforms Technology User Privacy

Revolutionizing Security: Passkeys by Google and Apple

Online security has grown to be of utmost importance in a digital environment that is always changing. Passkeys, a cutting-edge authentication system that is poised to transform how we protect our accounts, are being pushed for by Google and Apple, who are leading the effort.

Passkeys, also known as cryptographic keys, are a form of authentication that rely on public-key cryptography. Unlike traditional passwords, which can be vulnerable to hacking and phishing attacks, passkeys offer a more robust and secure method of verifying user identity. By generating a unique pair of keys – one public and one private – passkeys establish a highly secure connection between the user and the platform.

One of the key advantages of passkeys is that they eliminate the need for users to remember complex passwords or go through the hassle of resetting them. Instead, users can rely on their devices to generate and manage these cryptographic keys. This not only simplifies the login process but also reduces the risk of human error, a common factor in security breaches.

Google and Apple have been at the forefront of this innovation, integrating passkey technology into their platforms. Apple, for instance, has introduced the Passkeys API in iOS, making it easier for developers to implement this secure authentication method in their apps. This move signifies a significant shift towards a more secure and user-friendly digital landscape.

Moreover, passkeys can play a pivotal role in thwarting phishing attacks, which remain a prevalent threat in the online realm. Since passkeys are tied to specific devices, even if a user inadvertently falls victim to a phishing scam, the attacker would be unable to gain access without the physical device.

While passkeys offer a promising solution to enhance online security, it's important to acknowledge potential challenges. For instance, the technology may face initial resistance due to a learning curve associated with its implementation. Additionally, ensuring compatibility across various platforms and devices will be crucial to its widespread adoption.

Passkeys are a major advancement in digital authentication. Google and Apple are leading a push toward a more secure and frictionless internet experience by utilizing the power of public-key cryptography. Users might anticipate a time in the future when the laborious practice of managing passwords is a thing of the past as this technology continues to advance. Adopting passkeys is a step toward improved security as well as a step toward a more user-focused digital environment.

Read more »
Reddit
API Keys Blackout Privacy Private Data Reddit

Reddit Blackout: Subreddits Protest New Pricing Policy

 

In a show of protest against Reddit's new pricing policy, thousands of subreddits are planning to go private for 48 hours starting on Monday. This move aims to bring attention to concerns about the platform's recent changes and their potential impact on the Reddit community.

The protest comes in response to Reddit's decision to introduce a new premium membership tier called "Reddit Premium Platinum," which offers additional features and benefits to users for a monthly fee. This move has sparked controversy and criticism from many Reddit users who fear that it will create a two-tier system and undermine the platform's core principles of free and open discussion.

The blackout is organized by moderators of various subreddits who are concerned about the direction Reddit is taking. By making their communities private, they hope to raise awareness among users and encourage discussions about the potential consequences of the new pricing policy.

The protest is not limited to specific types of subreddits; a wide range of communities across various topics are expected to participate. This includes popular subreddits such as r/AskReddit, r/pics, and r/movies, among others. The blackout is expected to significantly impact the overall activity and engagement on the platform for the duration of the protest.

Critics argue that the new pricing policy could lead to a more commercialized Reddit, potentially favoring large corporations and diminishing the influence of individual users. They express concerns that the platform's sense of community and democratic nature could be eroded as a result.

In response to the planned blackout, Reddit released a statement acknowledging the concerns and stating that they are committed to engaging with users to address their feedback. They emphasized the importance of user input in shaping the platform's future and pledged to continue refining their offerings based on community feedback.

The blackout serves as a reminder of the power of online communities and their ability to mobilize for a common cause. Reddit has a history of user-driven protests that have influenced policy changes in the past. The collective action by subreddit moderators highlights the significance of their role in shaping the platform and the importance of user voices in discussions about its future direction.

As the blackout unfolds, it is yet to be seen how Reddit users and the platform's management will navigate this period of heightened tensions. It will likely serve as a critical moment for both sides to engage in open dialogue and find common ground to address the concerns raised by the community.

Read more »
Zero Trust
API Keys Firewall IoT devices Microsoft Azure Privacy Threat actors VPN Zero Trust

A Zero-Trust Future Encourage Next-Generation Firewalls

The future of Zero Trust security relies greatly on next-generation firewalls (NGFWs). NGFWs are classified by Gartner Research as "deep packet inspection firewalls that incorporate software inspection, intrusion prevention, and the injection of intelligence from outside the firewall  in addition to protocol inspection and blocking."  As per Gartner, an NGFW should not be mistaken for a standalone network intrusion prevention system (IPS) that combines a regular firewall and an uncoordinated IPS in the same device.

Significance of Next-Generation Firewalls

1. Substantial expense in ML and AI

As part of zero-trust security management goals, NGFW providers are boosting their assets in ML and AI to distinguish themselves from competitors or provide higher value. Analytical tools, user and device behavior analysis, automated threat detection and response, and development are all focused on identifying possible security issues before they happen. NGFWs can continuously learn and react to the shifting threat landscape by utilizing AI and ML, resulting in a more effective Zero Trust approach to defending against cyberattacks.

2. Contribution of a Zero Trust 

By removing implicit trust and regularly confirming each level of a digital transaction, the zero trust approach to cybersecurity safeguards a business. Strong authentication techniques, network segmentation, limiting lateral movement, offering Layer 7 threat prevention, and easing granular, least access restrictions are all used to defend modern settings and facilitate digital transformation. 

Due to a lack of nuanced security measures, this implicit trust means that once on the network, users, including threat actors and malevolent insiders, are free to travel laterally and access or exfiltrate sensitive data. A Zero Trust strategy is now more important than ever as digitalization accelerates in the shape of a rising hybrid workforce, ongoing cloud migration, and the change of security operations. 

3. Threat monitoring to enforce least privilege access

Device software for NGFWs, such as Patch management tasks can be handled by IT teams less frequently because updates are distributed in milliseconds and are transparent to administrators.

NGFWs that interface with Zero Trust environments has automated firmware patch updates, IPS, application control, automated malware analysis, IPsec tunneling, TLS decryption, IoT security, and network traffic management (SD-WAN) patch updates.  

NGFWs used by Microsoft Azure supply Zero Trust

By enabling businesses to impose stringent access rules and segment their networks into distinct security zones, Microsoft Azure leverages next-generation firewalls (NGFWs) to deliver zero-trust security. This enhances the overall network security posture.

Azure Firewall can be set up to monitor traffic in addition to regulating it, looking for risks and anomalies, and taking appropriate action. In an effort for this, malicious communications can be blocked, infected devices can be quarantined, and security staff can be made aware of potential dangers.


NGFW firms are investing more in AI and ML to further distinguish their solutions. Companies must continue to enhance API connections, particularly with IPS, SIEM systems, and Data Loss Prevention (DLP) solutions. They must also concentrate on how software-defined networking (SDN) might increase adaptability while supplying finer-grained control over network traffic. A well-implemented Zero Trust architecture not only produces improved overall security levels but also lower security intricacy and operational overhead.
Read more »
Safety
API Keys Cyber Data data security malware PyPI Package Safety

This Fraudulent ‘SentinelOne’ PyPI Package Steals Data from Developers

 

Researchers discovered criminals spoofing a well-known cybersecurity firm in an attempt to steal data from software developers. ReversingLabs researchers recently discovered a malicious Python(opens in new tab) package called "SentinelOne" on PyPI. 

The package, named after a well-known cybersecurity firm in the United States, masquerades as a legitimate SDK client, enabling easy access to the SentinelOne API from within a separate project. 

However, the package also includes "api.py" files that contain malicious code and allow threat actors to steal sensitive data from developers and send it to a third-party IP address (54.254.189.27). Bash and Zsh histories, SSH keys,.gitconfig files, hosts files, AWS configuration information, Kube configuration information, and other data are being stolen.

According to the publication, these folders typically store auth tokens, secrets, and API keys, granting threat actors additional access to target cloud services and server endpoints.

Worse, the package does provide the functionality that the developers expect. In reality, this is a hijacked package, which means that unsuspecting developers may use it and become victims of their own ignorance. The good news is that ReversingLabs confirmed the package's malicious intent and had it removed from the repository after reporting it to SentinelOne and PyPI.

The malicious actors were very active in the days and weeks leading up to the removal. The package was first submitted to PyPI on December 11, and it has been updated 20 times in less than a month.The researchers discovered that one of the issues fixed with an update was the inability to exfiltrate data from Linux systems.

The researchers concluded that it is difficult to say whether anyone fell for the scam because there is no evidence that the package was used in an actual attack. Nonetheless, all of the published versions were downloaded over 1,000 times.
Read more »
Subscribe to: Comments (Atom)