- A new series of high quality secrets detection checks are now available to Intruder’s Enterprise plan customers.
- Intruder scanned approximately 5 million applications to uncover more than 42,000 exposed tokens using its new method.
- Intruder’s new research report, Secrets in Your Bundle(.js) discovers an entire class of secrets currently unaddressed by existing tooling.
LONDON – Intruder, a leader in exposure management, today announced the release of a new series of high quality secrets detection checks for sensitive API keys and tokens hidden inside JavaScript bundles used by single-page applications. This upgrade was spurred by the discovery of a major class of leaked secret vulnerabilities that bypass standard security checks. Using a new spidering-based secrets detection method, Intruder scanned approximately 5 million applications to uncover more than 42,000 exposed tokens.
Intruder’s improved secrets detection checks critically sensitive secrets exposed by application front-ends, via spidering: systematically crawling through websites to find all exposures. It is now available to Intruder Enterprise plan customers. This approach is an improvement on traditional methods which automatically search through a list of known common locations, and use a regular expression to match known secret formats. Whilst this method offers value and can be used to find some exposures, it has serious limitations and won’t catch everything.
Secrets are leaking into production at scale, circumventing current detection mechanisms. Traditional VM tools (and SAST/DAST) have limitations which mean they won’t catch everything, and modern build pipelines can expose secrets in unexpected ways. These leaks create real breach paths: access to private repositories, CI/CD secrets, cloud credentials, internal ticketing systems, and more. Hardcoded or leaked secrets (API keys, passwords, tokens) are a primary cause of data breaches and are often left exposed for long periods of time.
Intruder developed this new capability after its security research team discovered thousands of exposed tokens, including highly sensitive GitHub/GitLab keys, project management API tokens, Slack webhooks, and more. Intruder scanned approximately 5 million applications using their new JavaScript bundle secrets scanner. Results found 100MB of plain text which included over 42,000 tokens across 334 types of secrets. The most impactful exposures found were tokens for code repository applications, identifying a total of 688 tokens, many of which were still active.
“This project revealed that there is a major class of leaked secrets weaknesses that are not being handled sufficiently by existing tooling – especially when it comes to secrets used by single-page applications,” said Dan Andrew, Head of Security at Intruder. “Secrets detection appears to be an area that benefits from being hit from all angles, including robust remote scanning that leaves no stone unturned.”
The research shows that relying on “shift-left only” approaches, scanning for threats and vulnerabilities earlier in development cycles, can still leave security gaps as it relates to leaked-secrets. As AI-assisted development accelerates coding and build automation, the risk is only growing. Without robust, remote secrets detection that inspects JavaScript bundles, organizations are blind to one of the fastest-growing sources of compromise.
The full research report with complete details on their team’s approach and the impact each type of vulnerability can have is now available on Intruder’s blog: Secrets in your Bundle(.js) – The Festive Gift Attackers Always Wanted.
Security and IT teams interested in learning more about the Intruder platform and secrets detection capabilities can book an introductory call here.
About Intruder
Intruder’s exposure management platform helps lean security teams stop breaches before they start by proactively discovering attack surface weaknesses. By unifying attack surface management, cloud security and continuous vulnerability management in one intuitive platform, Intruder makes it easy to stay secure by cutting through the noise and complexity. Founded in 2015 by Chris Wallis, a former ethical hacker turned corporate blue teamer, Intruder is now protecting over 3,000 companies worldwide. Learn more at https://intruder.io.
