DESCRIPTION LAST UPDATED: 2025-09-08
DEFAULT SEVERITY LEVEL: HIGH
This report identifies the use of known or very weak cryptographic secrets across a variety of web frameworks/platforms. These are often the result of software developers copy-pasting or forking code published on the Internet that includes a copied cryptographic secret, for example from a project on GitHub, official documentation of a project, or even a book, etc.
To identify these “bad” secrets, we use the badsecrets library from Black Lantern Security.
Please review https://github.com/blacklanternsecurity/badsecrets?tab=readme-ov-file#current-modules for a list of currently supported checks.
The “bad” secrets found will have a badsecrets_type field set to SecretFound
.
For the purpose of identifying these bad secrets, we do not conduct any new scans, but apply the checks to already collected scan data.
Please note: we are checking publicly exposed cryptographic products for known secrets, for example at the viewstate level – we are not exploiting any vulnerabilities or accessing protected assets in any way.
For better understanding of the issues being reported, please read Black Lantern’s blog post introducing their badsecrets library.
These known “bad” secrets should not be in use. If you receive an alert from us, make sure to replace these known “secrets” with secure values in your applications, but also investigate the platform for evidence of potential earlier misuse/compromise. You can replicate the results by using the Badsecrets tooling yourself.
You can track the results of our Badsecrets scans on our public Dashboard.
Severity levels are described here.
For more information on our scanning efforts, check out our Internet scanning summary page.
This report has an IPv4 and IPv6 versions.
Filename(s): scan_badsecrets, scan6_badsecrets