Friend
Professional
- Messages
- 2,653
- Reaction score
- 851
- Points
- 113
19-year-old Bill figured out how to identify a lot of vulnerabilities at once, and then fix them.
Bill Demircapi, 19, an independent researcher and white-hat hacker, has developed a method to identify large-scale vulnerabilities on the Internet using non-standard data sources.
The results were presented at the Defcon conference in Las Vegas. Among the at least 15,000 secrets found ("secrets" refers to sensitive data such as passwords, API keys, and authentication tokens) were hundreds of accounts associated with the Nebraska Supreme Court and its IT systems, as well as access data to Stanford University's Slack channels.
Special attention was drawn to more than a thousand API keys belonging to OpenAI clients. Among the organizations that inadvertently disclosed their confidential data were a major smartphone manufacturer, fintech clients, and a multibillion-dollar cybersecurity corporation.
Demirkapi also created an automated system that revokes compromised data, stripping it of its value to potential attackers.
The second area of research concerned website vulnerabilities. The hacker found 66,000 sites with vulnerabilities in unused ("hanging") subdomains. Among those affected were some of the world's largest web resources, including a test domain owned by The New York Times.
To demonstrate the danger of vulnerable subdomains, Demirkapi conducted an experiment. He temporarily published a satirical article on The New York Times test domain with the provocative headline " The US declares war on Russia amid escalating tensions, sending shock waves through the international community." The article remained available for about a week. This experiment clearly showed how vulnerabilities can be used to spread misinformation or conduct phishing attacks.
To search for secret keys, the researcher turned to VirusTotal, a service owned by Google that is usually used to scan files for malware. Using the Retrohunt function and YARA rules, it analyzed more than 1.5 million samples in search of sensitive data.
To make sure that the keys and secrets found are up-to-date, Demirkapi executed API requests. This allowed us to confirm that the detected information is still active and can be used by intruders.
To identify vulnerable websites, the expert used passive DNS replication data. As a result, more than 78,000 unsecured cloud services linked to 66,000 top-level domains were detected.
Alon Schindel, vice president of cyber threat research at Wiz, notes that there is a huge variety of secret data that developers can inadvertently leave in the code or disclose during the software creation process. These include passwords, encryption keys, API access tokens, cloud provider secrets, and TLS certificates. Schindel emphasizes that the main danger is that their disclosure can give attackers unauthorized access to code bases, databases and other confidential digital infrastructure.
Detecting problems is only half the battle, Demircapi says. It also took crucial steps to fix the problems it found. For example, it reported more than 1,000 disclosed API keys to OpenAI, after which the company provided it with a public API key to automatically revoke compromised data.
However, not all companies were ready to cooperate. GitHub and Amazon Web Services denied access to existing reporting tools. This forced Demircapi to look for workarounds, including using GitHub to automatically upload secrets to activate the platform's sensitive data scanning system.
Daiping Liu, senior research manager at Palo Alto Networks, says that the problem of "hanging" domains is widespread. Tens of thousands of records are at risk at any given time, he said. Liu adds that larger domains may be particularly vulnerable to this problem, as they are harder to manage and more likely to be subject to human error. This explains why even giants like The New York Times may be under threat.
Source
Bill Demircapi, 19, an independent researcher and white-hat hacker, has developed a method to identify large-scale vulnerabilities on the Internet using non-standard data sources.
The results were presented at the Defcon conference in Las Vegas. Among the at least 15,000 secrets found ("secrets" refers to sensitive data such as passwords, API keys, and authentication tokens) were hundreds of accounts associated with the Nebraska Supreme Court and its IT systems, as well as access data to Stanford University's Slack channels.
Special attention was drawn to more than a thousand API keys belonging to OpenAI clients. Among the organizations that inadvertently disclosed their confidential data were a major smartphone manufacturer, fintech clients, and a multibillion-dollar cybersecurity corporation.
Demirkapi also created an automated system that revokes compromised data, stripping it of its value to potential attackers.
The second area of research concerned website vulnerabilities. The hacker found 66,000 sites with vulnerabilities in unused ("hanging") subdomains. Among those affected were some of the world's largest web resources, including a test domain owned by The New York Times.
To demonstrate the danger of vulnerable subdomains, Demirkapi conducted an experiment. He temporarily published a satirical article on The New York Times test domain with the provocative headline " The US declares war on Russia amid escalating tensions, sending shock waves through the international community." The article remained available for about a week. This experiment clearly showed how vulnerabilities can be used to spread misinformation or conduct phishing attacks.
To search for secret keys, the researcher turned to VirusTotal, a service owned by Google that is usually used to scan files for malware. Using the Retrohunt function and YARA rules, it analyzed more than 1.5 million samples in search of sensitive data.
To make sure that the keys and secrets found are up-to-date, Demirkapi executed API requests. This allowed us to confirm that the detected information is still active and can be used by intruders.
To identify vulnerable websites, the expert used passive DNS replication data. As a result, more than 78,000 unsecured cloud services linked to 66,000 top-level domains were detected.
Alon Schindel, vice president of cyber threat research at Wiz, notes that there is a huge variety of secret data that developers can inadvertently leave in the code or disclose during the software creation process. These include passwords, encryption keys, API access tokens, cloud provider secrets, and TLS certificates. Schindel emphasizes that the main danger is that their disclosure can give attackers unauthorized access to code bases, databases and other confidential digital infrastructure.
Detecting problems is only half the battle, Demircapi says. It also took crucial steps to fix the problems it found. For example, it reported more than 1,000 disclosed API keys to OpenAI, after which the company provided it with a public API key to automatically revoke compromised data.
However, not all companies were ready to cooperate. GitHub and Amazon Web Services denied access to existing reporting tools. This forced Demircapi to look for workarounds, including using GitHub to automatically upload secrets to activate the platform's sensitive data scanning system.
Daiping Liu, senior research manager at Palo Alto Networks, says that the problem of "hanging" domains is widespread. Tens of thousands of records are at risk at any given time, he said. Liu adds that larger domains may be particularly vulnerable to this problem, as they are harder to manage and more likely to be subject to human error. This explains why even giants like The New York Times may be under threat.
Source
