-
A new series of high quality secrets detection checks are now available to Intruder’s Enterprise plan customers.
-
Intruder scanned approximately 5 million applications to uncover more than 42,000 exposed tokens using its new method.
-
Intruder’s new research report, Secrets in Your Bundle(.js) discovers an entire class of secrets currently unaddressed by existing tooling.
Intruder, a leader in exposure management, announced the release of a new series of high quality secrets detection checks for sensitive API keys and tokens hidden inside JavaScript bundles used by single-page applications. This upgrade was spurred by the discovery of a major class of leaked secret vulnerabilities that bypass standard security checks. Using a new spidering-based secrets detection method, Intruder scanned approximately 5 million applications to uncover more than 42,000 exposed tokens.
Also Read: CIO Influence Interview with Duncan Greatwood, CEO at Xage Security
Intruder’s improved secrets detection checks critically sensitive secrets exposed by application front-ends, via spidering: systematically crawling through websites to find all exposures. It is now available to Intruder Enterprise plan customers. This approach is an improvement on traditional methods which automatically search through a list of known common locations, and use a regular expression to match known secret formats. Whilst this method offers value and can be used to find some exposures, it has serious limitations and won’t catch everything.
Secrets are leaking into production at scale, circumventing current detection mechanisms. Traditional VM tools (and SAST/DAST) have limitations which mean they won’t catch everything, and modern build pipelines can expose secrets in unexpected ways. These leaks create real breach paths: access to private repositories, CI/CD secrets, cloud credentials, internal ticketing systems, and more. Hardcoded or leaked secrets (API keys, passwords, tokens) are a primary cause of data breaches and are often left exposed for long periods of time.
Intruder developed this new capability after its security research team discovered thousands of exposed tokens, including highly sensitive GitHub/GitLab keys, project management API tokens, Slack webhooks, and more. Intruder scanned approximately 5 million applications using their new JavaScript bundle secrets scanner. Results found 100MB of plain text which included over 42,000 tokens across 334 types of secrets. The most impactful exposures found were tokens for code repository applications, identifying a total of 688 tokens, many of which were still active.
“This project revealed that there is a major class of leaked secrets weaknesses that are not being handled sufficiently by existing tooling – especially when it comes to secrets used by single-page applications,” said Dan Andrew, Head of Security at Intruder. “Secrets detection appears to be an area that benefits from being hit from all angles, including robust remote scanning that leaves no stone unturned.”
The research shows that relying on “shift-left only” approaches, scanning for threats and vulnerabilities earlier in development cycles, can still leave security gaps as it relates to leaked-secrets. As AI-assisted development accelerates coding and build automation, the risk is only growing. Without robust, remote secrets detection that inspects JavaScript bundles, organizations are blind to one of the fastest-growing sources of compromise.
The full research report with complete details on the team’s approach and the impact each type of vulnerability can have is now available on Intruder’s blog: Secrets in your Bundle(.js) – The Festive Gift Attackers Always Wanted.
Catch more CIO Insights: The CIO’s Role In Data Democracy: Empowering Teams Without Losing Control
[To share your insights with us, please write to psen@itechseries.com ]
