I scanned all of GitHub's "oops commits" for leaked secrets

Posted by elza_1111 2 days ago

I scanned all of GitHub's "oops commits" for leaked secrets(trufflesecurity.com)

196 points | 111 commentspage 2

alkonaut 1 day ago|

So the question is: after I orphaned a commit how do I _truly_ make sure it's not visible anywhere on github? Is there no way short of contacting customer support to GC a repo? Shouldn't this just basically be a button on the repo, in the "danger zone" area of the repo maintenance?

SAI_Peregrinus 1 day ago|

Assume you can't, even if you contact support someone will have archived it by the time anything gets done. Murphy's Law of Internet Data Storage applies: if you post something to the internet it'll be public forever; if there's something on the internet you remember seeing once and want to find again it will have link-rotted and been lost forever.

abhisek 1 day ago||

The thing that people miss out is Git is really a content addressed storage. This means all commits, even the ones not linked to any refs are still stored and addressable.

p.s: If you run OSS project, please use Github Advanced Security and enable Push Protection against secrets.

exceptione 1 day ago|

Are you talking about the local branch and the local reflog?

I thought garbage collection should get rid of all dangling stuff. But even without that, I am curious if pushing a branch would push the dangling commits as well.

raesene9 2 days ago||

An interesting look at one of the consequences of using git and public repo's.

Does leave me wondering how long before someone has a setup which detects and tries to exploit these in real-time, which feels like it could be nasty.

Also a challenge with these posts is they were unlikely to have been able to contact all the affected developers who have got exposed secrets, meaning that any that were uncontactable/non-responsive are likely still vulnerable now, I'd guess that means they're about see what happens if those secrets get abused, as people start exploring this more...

matsemann 2 days ago||

There are hundred of setups like that already. If you push an AWS key or similar publicly you may have a bitcoin miner or botnet running on your cloud in matter of minutes.

raesene9 1 day ago|||

The point here being the blog is about looking for oops commits to spot keys that would otherwise not necessarily be picked up automatically...

sunbum 2 days ago|||

Nope. Because if you push an AWS key then it gets automatically revoked by AWS.

matsemann 1 day ago|||

AWS was just an example, but it kinda proves my point though, that people are already monitoring this ;)

larntz 1 day ago|||

I wouldn't rely on anything other than rotating leaked credentials.

hboon 2 days ago||

There are already people scanning git repos for Bitcoin/Ethereum/crypto keys and exploiting them immediately.

raesene9 1 day ago|||

There's a lot of secret classes that aren't necessarily automatically scanned for. The Oops commit is a good signal that something shouldn't have been committed, even if automated scanners don't get it.

2OEH8eoCRo0 1 day ago|||

Not just Git either. Push a container to Docker Hub and you'll get instant downloads. Presumably people scanning containers for secrets.

kristopolous 2 days ago||

I wonder if you can honeypot this.

NoahZuniga 2 days ago||

I find it hard to believe that they could have made $25k with this. There are companies that scan all commits on gh for secrets, using similar techniques for finding secrets in files.

Sayrus 2 days ago||

"70% of secrets leaked in 2022 remain valid today"[1] is a quote that should help understand the situation.

[1] https://blog.gitguardian.com/the-state-of-secrets-sprawl-202...

xarope 2 days ago|||

this is specifically deleted commits, which even if locally are deleted, are not so on GH, hence why he was able to find deleted .envs etc.

bashwizard 1 day ago|||

I'm surprised that it's not more. I couple of years ago I spent a few months basically github dorking for leaked api keys and made more than that.

wordofx 2 days ago||

Congrats on commenting without reading the article.

diogolsq 1 day ago||

One more reason to activate key rotation.

xlii 1 day ago||

Probably worth mentioning that force is a ref-related activity not a snapshot related activity. Garbage collection might remove unreferenced commits.

This should be done through history rewrites but as other commenters mention - GitHub has its own rights (and GitHub != git).

I’d recommend looking at simpler alternatives. IMO Jujutsu is mature enough for daily usages, and Fossil is a neat alternative if one wants to drop GitHub completely (albeit not very easy to use).

xyst 1 day ago||

One of the reasons I keep `.env` and `.env.*` files in global ignore file

v3ss0n 2 days ago||

Daily reminder:

- Once it is on the internet - it is always there so Rotate the key/secrets FIRST.

- Never think secrets are gone because of you have recommited .

- Deleting a commit is not enough , use BFG Cleaner - https://rtyley.github.io/bfg-repo-cleaner/ , and force commit to change history.

Edit- Forget to add most important thing - rotating the key.

weird-eye-issue 2 days ago||

I think you mean "rotate the keys"

GrandaPanda 2 days ago|||

Had it correct in the first two points, then contradicted yourself with the last. Rotate your secrets.

v3ss0n 1 day ago||

Yeah good point. Rotating secrets is a point i forget to add.

hnlmorg 2 days ago||

The problem here is that GitHub keeps the ref logs even for commits that no longer exist.

I don’t see how BFG helps here

v3ss0n 1 day ago||

it rewrites the history. Isn't that really enough? You can remove all the keys from the git history. and I agree , i forget the point about rotating the key which i do always in first .

hnlmorg 1 day ago|||

No it’s not enough. Read the article and it will explain why.

Also, if you’re going to rotate your secrets (which you absolutely should do regardless) then everything else is pointless because it’s now just an invalid credential.

Timwi 1 day ago|||

It might remove it from your local repo, but not from GitHub, that's the point.

stogot 1 day ago|

Crypto miners have been doing this for 10-12 years at least. I used to speak on this topic regularly. Deleted commits are insufficient, you must rotate your secrets