I scanned all of GitHub's "oops commits" for leaked secrets

(trufflesecurity.com)

199 points elza_1111 | 1 comments | 03 Jul 25 06:44 UTC | HN request time: 0.202s | source

Show context

raesene9 ◴[03 Jul 25 07:15 UTC] No.44452472[source]▶

An interesting look at one of the consequences of using git and public repo's.

Does leave me wondering how long before someone has a setup which detects and tries to exploit these in real-time, which feels like it could be nasty.

Also a challenge with these posts is they were unlikely to have been able to contact all the affected developers who have got exposed secrets, meaning that any that were uncontactable/non-responsive are likely still vulnerable now, I'd guess that means they're about see what happens if those secrets get abused, as people start exploring this more...

replies(2): >>44452481 #>>44452488 #

hboon ◴[03 Jul 25 07:17 UTC] No.44452481[source]▶

>>44452472 #

There are already people scanning git repos for Bitcoin/Ethereum/crypto keys and exploiting them immediately.

replies(2): >>44453286 #>>44453417 #

1. raesene9 ◴[03 Jul 25 09:36 UTC] No.44453286[source]▶

>>44452481 #

There's a lot of secret classes that aren't necessarily automatically scanned for. The Oops commit is a good signal that something shouldn't have been committed, even if automated scanners don't get it.

↑