Keys on Doormats: Exposed API Credentials on the Web

A research team from Stanford University, UC Davis, and TU Delft has published a landmark security study titled "Keys on Doormats: Exposed API Credentials on the Web." The paper, published on arXiv, details their analysis of 10 million webpages, revealing a widespread and critical security flaw: the public exposure of sensitive API keys and tokens. They identified 1,748 distinct credentials from 14 major service providers—including cloud platforms and payment processors—on nearly 10,000 webpages. Shockingly, these exposed credentials were found on highly popular and critical sites, such as those belonging to global banks and firmware developers.

The researchers characterized the primary exposure vectors, finding that most credentials were leaked through JavaScript environments on the client side. Analysis of archived web data showed that these keys often remained publicly accessible for periods ranging from a month to several years, creating prolonged vulnerability windows. The team also conducted responsible disclosure efforts, notifying affected organizations, which resulted in a substantial reduction of exposed credentials. This study highlights a previously unexplored attack surface on the public web, moving beyond known risks in platforms like GitHub, and underscores the urgent need for developers to audit their front-end code for credential leakage.