Security researchers at Checkmarx discovered thousands of exposed developer credentials on AI-powered code generation websites. Developers inadvertently leaked sensitive information, including API keys and secrets, by pasting them into these online tools.

How AI Tools Leaked Sensitive Data

The exposure occurred when developers submitted code snippets containing private credentials to generate or debug code. Platforms such as Code-GPT and Swift-AI cached this user-submitted data. This cached information was made publicly accessible and was indexed by search engines, allowing researchers to find it with simple search queries.

The leaked data included a wide range of sensitive keys for services like OpenAI, Google Search, cloud providers, financial services, and various social media platforms. Researchers were able to locate the exposed information by searching for common credential patterns, such as “api_key=” or “secret=”.

Discovery and Platform Response

The Checkmarx research team identified the issue through public search engines, highlighting the ease and speed with which the exposed data could be found. Upon discovering the vulnerabilities, the researchers notified the affected websites.

In response to the notification, at least one of the sites, Swift-AI, took action. The platform removed its public caching feature to prevent further exposure of user data.

Source: https://www.csoonline.com/article/4096193/developers-left-large-cache-of-credentials-exposed-on-code-generation-websites-2.html