I just found out something that shocked me! According to a security analysis of public GitLab repositories, there were over 17,000 records of high-profile secret keys and passwords exposed freely on the web. How are there still that many exposed secrets?
• There are now over 17,000 secret keys publicly available in GitLab repositories.
• Many of these keys are still usable and thereby, dangerous.
• Anyone is capable of using these keys.
• We need to be vigilant about maintaining the confidentiality of our secret keys and vetting the code we generate
Here is what happened
A security analyst conducted a scan of approximately 5.6 million public GitLab Projects. The security analyst used the tool TruffleHog to scan Gitlab Projects to look for secret keys and passwords that had been left open to hackers. The analysis took just over 1 day to complete, and 17,430 keys and passwords were discovered to belong to various companies/services.What kind of secrets were discovered
The secret keys and passwords that were discovered were of many types, including:- Google Cloud (more than 5,000)
- MongoDB Database Passwords
- Telegram Bot Tokens
- GitLab Personal Access Tokens
- OpenAI API Keys
This is an alarming situation
What if someone obtained your API key or database password? They would have the ability to:- Steal the information and data within your cloud account(s)
- Hack into your cloud accounts
- Take down your cloud services
- Use any of their accounts to host costly services
- Disseminate virus software via software updates
How to avoid doing this as a Developer
If you're a coder or collaborate with other coders, always follow these basic rules:- Never include passwords or API keys within your code
- Always utilize code-scrubbing applications that detect secrets prior to publishing
- Intentionally remove/change/move any key that becomes known to you (immediately).
- Regularly review previous versions of source code to validate that older mistakes haven't been replicated.
- Use secret storage tools/environment variables, or both.
My thoughts
I see this as a bit of a wakeup call. We are under the impression that only large businesses can be hacked, but that is not true. Even a simple error can lead to serious repercussions. If an individual with a laptop can search through millions of repositories in a single day, think of how quickly and easily an attacker could penetrate these sites!Final comments
A summary of what to take away:• There are now over 17,000 secret keys publicly available in GitLab repositories.
• Many of these keys are still usable and thereby, dangerous.
• Anyone is capable of using these keys.
• We need to be vigilant about maintaining the confidentiality of our secret keys and vetting the code we generate
