←back to thread

I scanned all of GitHub's "oops commits" for leaked secrets

(trufflesecurity.com)
199 points elza_1111 | 1 comments | 03 Jul 25 06:44 UTC | HN request time: 0.364s | source
Show context
raesene9 ◴[03 Jul 25 07:15 UTC] No.44452472[source]
An interesting look at one of the consequences of using git and public repo's.

Does leave me wondering how long before someone has a setup which detects and tries to exploit these in real-time, which feels like it could be nasty.

Also a challenge with these posts is they were unlikely to have been able to contact all the affected developers who have got exposed secrets, meaning that any that were uncontactable/non-responsive are likely still vulnerable now, I'd guess that means they're about see what happens if those secrets get abused, as people start exploring this more...

replies(2): >>44452481 #>>44452488 #
hboon ◴[03 Jul 25 07:17 UTC] No.44452481[source]
There are already people scanning git repos for Bitcoin/Ethereum/crypto keys and exploiting them immediately.
replies(2): >>44453286 #>>44453417 #
1. 2OEH8eoCRo0 ◴[03 Jul 25 10:05 UTC] No.44453417[source]
Not just Git either. Push a container to Docker Hub and you'll get instant downloads. Presumably people scanning containers for secrets.