Security boffins scoured the web and found hundreds of valid API keys

Computer security boffins have conducted an analysis of 10 million websites and found almost 2,000 API credentials strewn across 10,000 webpages.

The researchers detail their findings in a preprint paper titled "Keys on Doormats: Exposed API Credentials on the Web," and say they conducted the study because much of the attention on exposed credentials has focused on scouring code repositories and source code. They argue that dynamic analysis of production websites is essential to understand the scope of the problem.

"What we found were highly sensitive API credentials left publicly exposed on public webpages," Nurullah Demir, a PhD candidate at Stanford and corresponding author, told The Register in an email. "These act as access tokens that authorize applications to interact with third-party services, granting direct access to critical infrastructure like cloud platforms and payment providers."

Demir contends that API credentials are even more dangerous than exposed login details ...