Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity NewswireCybersecurity News

Python exploit gives access to 10,000+ API keys

api-security-freepik02857.jpg
September 21, 2021

A Python exploit gives access to more than 10,000 API (Application Programming Interface) keys via Wayback Machine, a project that archives the content of internet sites.


While conducting a security assessment on a website, security researcher Abdulrahman-Kamel created a Python script that searched through archived requests in the Wayback Machine. 


By using this code, the researcher found that they could extract all APIs from Wayback Machine and filter to remove those that had been expired or revoked, reaching more than 10,000 API keys. 


In this case, the impacted sites committed the worst form of offense where they relied on API keys submitted as parameters within a URL (i.e., a GET request), says Michael Isbitski, Technical Evangelist at Salt Security. “This implementation approach goes against security best practice, where no sensitive data should be submitted in a URL. Sensitive data in URLs is often logged, and such data can often be harvested later by an insider threat or external attacker. API keys fit the definition of sensitive data, and they can provide access to poorly designed and protected API endpoints. This sensitive data is also sometimes inadvertently and automatically archived by the Wayback Machine project.” Isbitski adds.


The Python script created by the researcher also tested for the validity of a given API key as an access credential to a given API endpoint, Isbitski says. “Knowing that many organizations fail to rotate API keys though, the API keys in question still gave access to many API endpoints.”


As an API security best practice, no API keys or secrets should be embedded in applications or code because attackers can easily harvest them. API keys alone are not intended as a means of authentication  — they must be paired with other authentication and authorization material to provide robust access control, Isbitski says. Salt Security, for example, speaks to this in the recently published API Security Best Practices at https://content.salt.security/wp-api-security-best-practices.html.


Because attackers regularly steal credentials or hijack authenticated sessions through various techniques, including social engineering, phishing, person-in-the-middle attacks, and reverse engineering code, Isbitski says organizations need runtime behavior analysis to detect and stop events when authentication material is compromised and in turn used to abuse APIs. “Strong access control is only one aspect of API security.”


Ryan Kennedy, Application Security Consultant at nVisium, says API security is becoming increasingly important in modern applications, with OWASP having released the first version of the API Security Top Ten in 2019. “Developers should be proactive in ensuring that API tokens can be properly rotated in the case of accidental exposure. Users may accidentally expose tokens in various ways, such as being submitted to an archiving service or included in a public Github repository,” he adds. “Developers can also mitigate the potential impact of API token leakage. For instance, sensitive operations should require a tightly scoped token which can only be sent in requests using a subset of permitted methods, such as POST requests to the relevant API endpoints.”


Securing APIs and understanding how they’re being used or abused is crucial for keeping data safe in cloud-based apps and infrastructure, explains Hank Schless, Senior Manager, Security Solutions at Lookout.


“Just like any other integrated or connected technology, IT and Security teams need to have visibility into how data flows through APIs, whether they’re properly configured, and how they behave. Advanced cloud access security broker (CASB) solutions can help mitigate the risk of misconfigured or abused APIs. Cloud security posture management (CSPM) and SaaS security posture management (SSPM) are aspects of many CASB solutions that help admins understand whether a SaaS or IaaS app’s APIs are configured correctly. This is often done according to known best practices and industry benchmarks such as those from the CIS. It’s just as important to understand the behavior of the API and the data it helps move, which user and entity behavior analytics (UEBA) can help grant visibility into,” Schless notes. “Understanding the risks posed by APIs in your infrastructure is key in the journey to minimizing your risk surface by implementing zero trust across your infrastructure. While there’s no silver bullet to solving the challenges of zero trust, which is a constantly evolving battle, this type of visibility is a small but very important part of that journey that organizations need to be sure they’re solving for.”

KEYWORDS: API security cyber security risk management security vulnerability

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • twitter-freepik1170x658v56036.jpg

    3207 apps are leaking Twitter API keys

    See More
  • Revised NIST Cyber Security Framework - Security Magazine

    Access Control: Don’t Give Cybercriminals the Keys to Your Business

    See More
  • security-vulnerability-freepik1170x3789.jpg

    CISA adds 15 new vulnerabilities to exploit catalog

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing