Halo Security detects exposed secrets and API keys in JavaScript
Web properties are increasingly relying on third-party JavaScript to increase functionality, but this can also bring inherent risks.
A report from Source Defense, which scanned the 4,300 highest-trafficked websites globally, found an average of four third-party scripts per page. Often, these tags are added without proper security controls or oversight from security teams, giving attackers an easy way to find exposed API keys and breach sites.
Halo Security has unveiled a new feature that helps security teams detect unintended exposures. Its agentless solution identifies secrets in scripts used across the attack surface, no matter how they’ve been added, so security teams know what is dangerous and what isn’t.
These tags are often added by developers and marketers via tag management systems, without understanding the risk. Research from Invicti suggests 6.3% of top sites on the internet are exposing keys and secrets.
Halo Security’s new feature has already detected and alerted customers to more than 700 instances of revealed secrets across websites it scans. It has found potentially devastating exposures like Amazon keys that unlock a site’s entire infrastructure, and proprietary back doors to third-party functionality like image carousels, where an attacker could upload or delete pictures and cause reputational harm.
“Our pentesters have been flagging this issue more and more recently and it’s a problem most clients don’t even know about. With this new feature, we bring awareness continuously and automatically,” said Nick Merritt, VP of Security Products at Halo Security. “Our new JavaScript secret detections are the perfect compliment to existing script monitoring and analysis solutions.”
Halo Security customers now have access to a new report highlighting any exposed secrets in their JavaScript at no additional cost and with no additional configuration required. For companies looking to improve the security of their external attack surface, Halo Security offers a seven-day free trial to discover any existing keys exposed.