Security boffins scoured the web and found hundreds of valid API keys Computer security boffins have conducted an analysis of 10 million websites and found almost 2,000 API credentials strewn across 10,000 webpages. The researchers detail their findings in a preprint paper titled "Keys on Doormats: Exposed API Credentials on the Web," and say they conducted the study because much of the …
I would like the name of that bank to ensure that I never have anything to do with it in the future.
Putting an API on a webpage is not done by mistake and I'm willing to bet that there were no "rogue engineers" involved.
This bank needs to be named and shamed.
Betcha you'll find your answer in Lloyds app glitch turned transactions into shared experience for 447k users
Everyone knows about the global public site github.com, but did you also know that Github is actually a commercial product that is sold to enterprises as a revision control product? It is, competing with the likes of SourceForge, Mercurial, BitBucket, and many others.
When IBM announced they were shutting down ClearCase, enterprise customers needed to find a replacement. One company test drove a pilot program to test out a few competitors, including Github and BitBucket. Both allowed you to connect to multiple repositories. This was a necessity for the company as it had several different products in development, ranging from graphical analysis products to real time software that controlled safety critical equipment in the field.
The safety critical software was the jewel in the company's crown. They didn't produce the field equipment hardware, other companies did. But their software that ran it was best of breed, and had many safety certifications that competitors didn't. They knew it, and charged accordingly. The profits from that software kept the rest of the company going. Like the recipe for KFC or Coca Cola, it was a closely guarded secret. If others could copy it, they were dead, and they knew it.
So, when a junior developer pushed the entire code base to github.com, it was a matter of considerable concern. As in "wake up the CEO at 3:30 in the morning" levels of concern.
They had installed Gitlab for in-house testing. Whether the installers had configured the back end improperly, or the developer had somehow managed to somehow select the public site on his own, the damage was done. He had pushed the entire repo, including the configuration files that included security API keys, hardware IDs, login credentials, public API addresses, the works.
Fortunately, their legal team was able to contact github.com and get it taken down quickly. The developer had pushed it only to his personal gitlab site, which had under 20 followers, and the code base was thousands of files. So fortunately, there were very few downloads of it, if any. Management was quite tight lipped about it, as you can imagine, so I've no idea if anyone managed to download it or not.
The accountants demanded they be involved in the selection process from that point on. Atlassian managed to win the bid with a very strong "Bitbucket won't let your developers accidentally put your code base on the internet" argument that the accountants found compelling.
