Over 100,000 GitHub repos have leaked API or cryptographic keys

guest · Mar 22, 2019

Over 100,000 GitHub repos have leaked API or cryptographic keys
Thousands of new API or cryptographic keys leak via GitHub projects every day
March 21, 2019
https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-cryptographic-keys/

A scan of billions of files from 13 percent of all GitHub public repositories over a period of six months has revealed that over 100,000 repos have leaked API tokens and cryptographic keys, with thousands of new repositories leaking new secrets on a daily basis.

They didn't just use the GitHub Search API to look for these text patterns, like other previous research efforts, but they also looked at GitHub repository snapshots recorded in Google's BigQuery database.
NCSU TEAM SCANNED FOR API TOKENS FROM 11 COMPANIES
Inside this gigantic pile of files, researchers looked for text strings that were in the format of particular API tokens or cryptographic keys.

In total, the NCSU team said they found 575,456 API and cryptographic keys, of which 201,642 were unique, all spread over more than 100,000 GitHub projects.
Click to expand...

The paper that Reaves authored together with Michael Meli and Matthew R. McNiece is titled "How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories," and is available for download in PDF format.

"Our findings show that credential management in open-source software repositories is still challenging for novices and experts alike," Reaves told us.
Click to expand...

Paper: "How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories" (PDF - 413 KB):
https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04B-3_Meli_paper.pdf

guest · Mar 22, 2019

GitLab now automatically warns against merging API keys into your codebase
March 22, 2019
https://thenextweb.com/dd/2019/03/2...-against-merging-api-keys-into-your-codebase/

GitLab, the hugely popular devops platform, today announced the introduction of secrets detection with version 11.9 of the service. This means that should someone inadvertently include an API key or secret in a commit to a shared repository, the service will warn the user.

From a security perspective, this is a huge advantage. API secrets are supposed to be that – secret. If they fall into the wrong hands, an attacker could use them to gain third party services at the developer’s expense.
Even if you’re working on a private repository, you still shouldn’t bake API keys in the code. It’s terrible practice.

AWS keys, for example, can be weaponized to spin up hundreds of hugely expensive instances, which can be used to mine cryptocurrencies. A stolen Twilio API key could be used to call expensive premium rate phone numbers or broadcast a deluge of SMS spam.
Click to expand...

It’s worth mentioning that GitHub has had a similar feature for a while.

Of course, it’s not clear if that’s helping shape user behavior.
Click to expand...

guest · Oct 1, 2020

It takes hackers 1 minute to find and abuse credentials exposed on GitHub
We set up a honeypot by publishing AWS credentials
October 1, 2020
https://www.comparitech.com/blog/information-security/github-honeypot/

Developers routinely use GitHub to back up, share, and manage changes to code. GitHub code repositories are usually public, meaning anyone can find and access code that’s been uploaded to the site. And all too often, developers forget to remove sensitive data from their code before putting it on GitHub.

Exposing sensitive private data in public GitHub repositories isn’t a new problem. Malicious hackers actively scan and scrape GitHub for leaked passwords, client IDs, secret keys, and API tokens, to name a few, because they know programmers are prone to such oversights.
But how long does it take for attackers to find data once it’s exposed, and what do they do with it?

Our researchers created multiple accounts on Amazon Web Services (AWS) and GitHub. They then published user credentials such as AWS IDs and secret keys in public GitHub repositories.
Click to expand...

Even if a developer quickly realizes their mistake after committing code to GitHub, they might not be able to remove it before attackers get their hands on the exposed credentials.

By examining all of the logs from our honeypot, researchers found that every API call came from 547 unique IP addresses, showing that hackers use proxies to help hide abusive activity. Attack activity decreased with time, with the vast majority of attacks made within one hour of exposure.
How to prevent credential exposure on GitHub
Both AWS and GitHub provide users with some basic protections against these sorts of attacks. GitHub has a secret scanning feature that checks repositories for exposed credentials using regular expressions. As we saw with our honeypot, Amazon can suspend compromised accounts and alert administrators via phone and email. But as we demonstrated, these mechanisms shouldn’t be relied upon.
Click to expand...

guest · Nov 12, 2021

Driftwood debuts: New open source tool hunts for leaked public-private key pairs
The tool will help security professionals find compromised TLS keys and sensitive keys tied to GitHub accounts
November 12, 2021
https://portswigger.net/daily-swig/...ool-hunts-for-leaked-public-private-key-pairs

A new hacking tool designed for the discovery of leaked, paired private and public keys which may be harmful has been released to the open source community.

The software, dubbed ‘Driftwood’, was released by Truffle Security on November 8.
Driftwood is described as a tool to let “security professionals immediately know if an identified encryption key is a sensitive key” across online repositories.
Click to expand...

In September, the cybersecurity firm released TruffleHog, a Chrome browser extension designed to find API Keys for software-as-a-service (SaaS) and cloud services that have accidentally made their way into JavaScript. During testing, dozens of private encryption keys were found.

Truffle Security co-founder Dylan Ayrey said Driftwood builds upon Trufflehog’s ability to find leaky keys by leveraging open ledgers of public keys.
The tool uses two sources: Google’s Certificate Transparency project, an open log of TLS certificates created after 2018, and GitHub SSH keys, which together create a database of billions of keys.

“Because GitHub lets you query these SSH keys for other users, we are able to use Driftwood to quickly figure out if a private key happens to pair with a GitHub user,” Truffle Security said.
Click to expand...

Driftwood in action
In a blog post this week, Ayrey explained that Driftwood is able to take an asymmetric private key, extract the public key component, and then compare this key to the TLS/SSH key database to check if it pairs with a known, sensitive key.

During testing, a 50,000-strong sample revealed “dozens” of private GitHub user SSH keys containing push rights to hundreds of repositories including those owned by major tech firms, according to the cybersecurity outfit.
Click to expand...

Truffle Security: Driftwood: Know if Private Keys are Sensitive

Asymmetric private keys are among the most often leaked out. We’re open sourcing a tool that immediately tells you if one is sensitive https://github.com/trufflesecurity/driftwood

With this tool we found the private keys for hundreds of TLS certificates, and SSH keys that would have allowed an attacker to compromise millions of endpoints/devices.
Click to expand...

Log in or Sign up

Over 100,000 GitHub repos have leaked API or cryptographic keys

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Over 100,000 GitHub repos have leaked API or cryptographic keys

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches