Summarize

Simplifying... Inshort

Hacker Demirkapi discovered 15,000 active secrets and 66,000 vulnerabilities on major platforms, including a New York Times domain, using unconventional datasets and Google's VirusTotal Retrohunt feature.
Despite the challenge of reporting these findings, especially with uncooperative companies like Amazon Web Services, he found a workaround by uploading the secrets to GitHub to trigger their secret scanning.
His approach suggests that creative solutions can help protect the web on a larger scale.

Was a long read? Making it simpler...

Next Article

Demirkapi found prominence for his teenage school-hacking exploits 5 years back

15,000 secrets; 66,000 vulnerabilities: How one hacker found them all

By Dwaipayan Roy

Aug 12, 2024

02:10 pm

What's the story

Bill Demirkapi is not your average security researcher. Utilizing unconventional methods, this digital detective has exposed vulnerabilities in some of the world's biggest companies. Now, at Defcon security conference in Las Vegas, he has exposed 15,000 hardcoded secrets and 66,000 vulnerable websites by going through overlooked data sources. These include login info for Stanford University's Slack channels, and over a thousand API keys belonging to OpenAI customers. To prevent misuse, Demirkapi has devised a method to invalidate the exposed details.

Website vulnerabilities

Demirkapi identified 66,000 websites with dangling subdomain issues

In addition to the exposed secrets, Demirkapi identified websites with dangling subdomain issues. These vulnerabilities could allow cybercriminals to hijack these sites. Among the vulnerable websites were some of the world's biggest platforms, including a development domain owned by The New York Times.

Research method

Using unconventional datasets for research

Demirkapi used unconventional datasets in his research to identify these issues on a large scale. He believes that expanding this approach could help protect the web at large. "The goal has been to find ways to discover trivial vulnerability classes at scale," Demirkapi said to WIRED, adding, "I think that there's a gap for creative solutions."

Process

He used VirusTotal's Retrohunt feature for scanning

Demirkapi used Google-owned website VirusTotal's Retrohunt feature to scan a year's worth of uploaded files for potential malware. He scanned over 1.5 million samples for secrets and validated that the patterns he found were active secret keys. His research resulted in the discovery of over 15,000 active secrets of all kinds.

Reporting hurdles

Demirkapi faced challenges in reporting the exposed secrets

Despite his significant findings, Demirkapi encountered difficulties in reporting the exposed secrets. While he was able to directly report some to the impacted companies, others were not as cooperative. For instance, Amazon Web Services refused to provide him access to its existing reporting tools. To circumvent this, Demirkapi began uploading the secrets to GitHub to trigger the company's secret scanning and get them reported.