API keys, clouds, tokens, security

OK, that may be the laziest headline I've written in while.

Want to be somewhat shocked and appalled? Search 'mbasanta@vmtestdrive.com' in Shodan:

https://www.shodan.io/search?query=mbasanta%40vmtestdrive.com

Helpfully you get the username, password, security tokens to use in the results:

And there are a lot of them, all from the same company, all vmware on salesforce for login. Some with 'Ellucian', an e-learning connector, some not.

Don't worry, the api key, username, password, they are always the same. You don't need to bother scraping 🙂

protip: A good way to find exposed api's is to search for 'apiVersion'

Leave a Reply

Your email address will not be published. Required fields are marked *

*