←back to thread

I scanned all of GitHub's "oops commits" for leaked secrets

(trufflesecurity.com)
199 points elza_1111 | 5 comments | 03 Jul 25 06:44 UTC | HN request time: 0.529s | source
1. NoahZuniga ◴[03 Jul 25 06:57 UTC] No.44452378[source]
I find it hard to believe that they could have made $25k with this. There are companies that scan all commits on gh for secrets, using similar techniques for finding secrets in files.
replies(4): >>44452421 #>>44452521 #>>44452553 #>>44453322 #
2. wordofx ◴[03 Jul 25 07:04 UTC] No.44452421[source]
Congrats on commenting without reading the article.
3. xarope ◴[03 Jul 25 07:26 UTC] No.44452521[source]
this is specifically deleted commits, which even if locally are deleted, are not so on GH, hence why he was able to find deleted .envs etc.
4. Sayrus ◴[03 Jul 25 07:31 UTC] No.44452553[source]
"70% of secrets leaked in 2022 remain valid today"[1] is a quote that should help understand the situation.

[1] https://blog.gitguardian.com/the-state-of-secrets-sprawl-202...

5. bashwizard ◴[03 Jul 25 09:44 UTC] No.44453322[source]
I'm surprised that it's not more. I couple of years ago I spent a few months basically github dorking for leaked api keys and made more than that.