A research team from Cybernews has discovered serious issues affecting 58,364 websites globally. These websites have mistakenly left their configuration files, known as .env files, open to the public. These files contain critical data like passwords and API keys necessary for accessing important services like databases, mail servers, and payment systems.
Unfortunately, this oversight has left these sites and their visitors vulnerable to attacks, data breaches and even complete takeovers. The investigation began on April 9th, and used publicly available indexes to review the .env files. The analysis uncovered 1,141,004 secrets that were not protected. Among the exposed information, database credentials were most common, found on over 27,000 websites. This could potentially allow unauthorized access to sensitive user data such as names, addresses, and passwords. Other frequently leaked secrets include application keys and email credentials, which could be exploited for data theft and phishing attacks.
Further findings showed that sensitive information from marketing automation tools and cloud storage services like AWS were also compromised. This kind of exposure could lead to unauthorized access to a wide range of private company and customer data. The study also revealed that high-risk credentials, which could allow attackers to take over entire websites or conduct extensive attacks, were found in 10% of the leaked secrets.
The United States hosted the highest number of affected websites, followed by Germany, India, and France. However, the issue is truly global, with significant numbers of vulnerable sites across various countries.
The researchers pointed out that .env files are often inadvertently exposed due to their hidden status in some operating systems, which can lead to them being uploaded accidentally. Other common reasons for these exposures include mistakes in version control, misconfigured web servers, and simple human error.
To prevent such risks, it’s crucial for web developers to use secure storage solutions for sensitive data and enforce strict access controls. This can help protect not just the websites but also the millions of users who may unknowingly be at risk due to these security oversights.
Read next:
• Reducing Social Media Use Boosts Mental Health in Youth
• Android On A Mission To Make Sensitive Fingerprint Scanners Available For All Mid-Range Devices
by Mahrukh Shahid via Digital Information World
No comments:
Post a Comment