Exposed Secrets / API Keys in client code

What it is

23 key patterns (Stripe, AWS, OpenAI, private keys, JWTs…) plus high-entropy detection in JS bundles and inline scripts.

How attackers abuse it

Weak authentication or session handling lets an attacker log in as someone else, forge a token, or keep a session alive that should have ended. Once they are 'you', everything you can do, they can do.

Attacker playbook

1. 1Probe the login, token, or session for weaknesses (guessable tokens, weak signing, no expiry).
2. 2Forge or replay a token, or brute-force credentials where there is no lockout.
3. 3Take over the account and act with its privileges.

How VibeSec detects and confirms it

VibeSec checks for this with a passive, read-only scan that is safe to run on any site. We use VibeSec native and base the finding only on what your site already exposes publicly.

If this is in your report: how to fix it

• Use a vetted auth library; do not roll your own tokens or password hashing.
• Sign and verify tokens properly, set short expiries, and rotate on privilege change.
• Add rate limiting and lockout on login, and enforce strong passwords or MFA.