27.06.2022 - 01:34 [ RedHuntLabs.com ]

Millions of Secrets Exposed via Web Application Frontend – An Internet-Wide Study

(14.06.2022)

A very interesting highlight to notice here is that Google services, viz. Google reCAPTCHA, Google Cloud, and Google OAuth consumed a major portion – totaling almost 70% of the services where the secret exposure was the highest.

An eye-opening perspective regarding Phase 1 was that in spite of these domains in scope belonging to the top 1 million domains of the internet, the secret exposure was massive.

(…)

Since we majorly focused on the front-end, we anticipated that a majority of the exposures would be through the JavaScript files. Analyzing the results, we found out that almost 77% of the exposures occurred through the JavaScript files being used in the frontend code.

Since most of the JavaScript was being served through content delivery networks, we decided to map the exposures to their sources and extract out insights from our data. The highest number of exposures came from Squarespace CDN leading to over 197k exposures.