I scanned all of GitHub's "oops commits" for leaked secrets

(trufflesecurity.com)

199 points elza_1111 | 3 comments | 03 Jul 25 06:44 UTC | HN request time: 0.554s | source

Show context

raesene9 ◴[03 Jul 25 07:15 UTC] No.44452472[source]▶

An interesting look at one of the consequences of using git and public repo's.

Does leave me wondering how long before someone has a setup which detects and tries to exploit these in real-time, which feels like it could be nasty.

Also a challenge with these posts is they were unlikely to have been able to contact all the affected developers who have got exposed secrets, meaning that any that were uncontactable/non-responsive are likely still vulnerable now, I'd guess that means they're about see what happens if those secrets get abused, as people start exploring this more...

replies(2): >>44452481 #>>44452488 #

matsemann ◴[03 Jul 25 07:18 UTC] No.44452488[source]▶

>>44452472 #

There are hundred of setups like that already. If you push an AWS key or similar publicly you may have a bitcoin miner or botnet running on your cloud in matter of minutes.

replies(2): >>44452797 #>>44453281 #

1. sunbum ◴[03 Jul 25 08:14 UTC] No.44452797[source]▶

>>44452488 #

Nope. Because if you push an AWS key then it gets automatically revoked by AWS.

replies(2): >>44453107 #>>44453236 #

2. larntz ◴[03 Jul 25 09:11 UTC] No.44453107[source]▶

>>44452797 (TP) #

I wouldn't rely on anything other than rotating leaked credentials.

3. matsemann ◴[03 Jul 25 09:29 UTC] No.44453236[source]▶

>>44452797 (TP) #

AWS was just an example, but it kinda proves my point though, that people are already monitoring this ;)

↑