Credential Leak Through Bachelor Thesis

As an external expert, I take part in internship and bachelor thesis reviews and defenses. Typically six to eight per year. This makes 12 to 16 theses to read and defenses to attend (including intermediate reviews). Voluntary work I genuinely like to do. It feels like I can give back to a university, lecturers and a study program that has opened many doors for me. The theses also give glimpses into the industry and company internals.

This week I encountered a new situation.


The system in question is a SaaS platform to keep track of marketing and sales information. I somewhat know the system because the system is also used by my current employer. Marketing and sales data typically equates to quite critical data for a company. We are talking deals, business contacts, forecasts and much more.

I should interject here: It is essential to understand that the student wrote the bachelor thesis as part of an internship project at a European company. So if that API key is a valid one, then this might be a credential leak for the company! This is especially problematic because the thesis was not marked as confidential. In turn, this means that the thesis should be considered publicly available through the university. Not a situation any company wants to face. Also, not something a student wants to hear as part of their thesis defense.

So judging the criticality and wanting to know whether this is an issue, I typed of the cURL statement into my terminal and executed it! Low and behold, it worked! The SaaS platform responded with the first 100 business contacts of the company (paginated API)! After trying out a few more APIs and cross-referencing the API responses, I was highly confident that the API key is, unfortunately, granting access to a production system filled with all kinds of sensitive data.


  • Are there processes in place at the university to handle situations like these?
  • As an external expert reviewing a thesis, do I have an obligation to immediately report this to the company?
  • Will we violate the company’s trust by not telling them about this as early as possible?
  • Should we tell the student’s company supervisor about this in advance to not be surprised to hear about this during the thesis defense for the first time?
  • How will me communicating this affect the student’s final grade or whether they pass/fail?

I opted for a quick email to the university to explain the situation and ask for their opinion. The university decided not to inform the company in advance and instead bring up the topic at the end of the defense. In light of the short amount of time (<24h) between me identifying this credential leak and the thesis defense, this seems acceptable. However, I am not sure I could have accepted to keep the company in the dark for more than a day.

Fault, Blame and Grading


Of course, the student immediately realized that they fucked up as we pointed out the credential leak. They were feeling bad enough (visibly), and they learned something that day. Blaming them wouldn’t have done any good. Not for them and not for us.

Be Kind.



he/him; just a software engineer; with @steadybithq ; @instanahq and @codecentric alumnus; opinions are my own

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Blackmore

he/him; just a software engineer; with @steadybithq ; @instanahq and @codecentric alumnus; opinions are my own