←back to thread

I scanned all of GitHub's "oops commits" for leaked secrets

(trufflesecurity.com)
199 points elza_1111 | 9 comments | 03 Jul 25 06:44 UTC | HN request time: 1.005s | source | bottom
1. raesene9 ◴[03 Jul 25 07:15 UTC] No.44452472[source]
An interesting look at one of the consequences of using git and public repo's.

Does leave me wondering how long before someone has a setup which detects and tries to exploit these in real-time, which feels like it could be nasty.

Also a challenge with these posts is they were unlikely to have been able to contact all the affected developers who have got exposed secrets, meaning that any that were uncontactable/non-responsive are likely still vulnerable now, I'd guess that means they're about see what happens if those secrets get abused, as people start exploring this more...

replies(2): >>44452481 #>>44452488 #
2. hboon ◴[03 Jul 25 07:17 UTC] No.44452481[source]
There are already people scanning git repos for Bitcoin/Ethereum/crypto keys and exploiting them immediately.
replies(2): >>44453286 #>>44453417 #
3. matsemann ◴[03 Jul 25 07:18 UTC] No.44452488[source]
There are hundred of setups like that already. If you push an AWS key or similar publicly you may have a bitcoin miner or botnet running on your cloud in matter of minutes.
replies(2): >>44452797 #>>44453281 #
4. sunbum ◴[03 Jul 25 08:14 UTC] No.44452797[source]
Nope. Because if you push an AWS key then it gets automatically revoked by AWS.
replies(2): >>44453107 #>>44453236 #
5. larntz ◴[03 Jul 25 09:11 UTC] No.44453107{3}[source]
I wouldn't rely on anything other than rotating leaked credentials.
6. matsemann ◴[03 Jul 25 09:29 UTC] No.44453236{3}[source]
AWS was just an example, but it kinda proves my point though, that people are already monitoring this ;)
7. raesene9 ◴[03 Jul 25 09:36 UTC] No.44453281[source]
The point here being the blog is about looking for oops commits to spot keys that would otherwise not necessarily be picked up automatically...
8. raesene9 ◴[03 Jul 25 09:36 UTC] No.44453286[source]
There's a lot of secret classes that aren't necessarily automatically scanned for. The Oops commit is a good signal that something shouldn't have been committed, even if automated scanners don't get it.
9. 2OEH8eoCRo0 ◴[03 Jul 25 10:05 UTC] No.44453417[source]
Not just Git either. Push a container to Docker Hub and you'll get instant downloads. Presumably people scanning containers for secrets.