• Hello and welcome! Register to enjoy full access and benefits:

    • Advertise in the Marketplace section for free.
    • Get more visibility with a signature link.
    • Company/website listings.
    • Ask & answer queries.
    • Much more...

    Register here or log in if you're already a member.

  • 🎉 WHV has crossed 56000 (56k) monthly views (unique) and 285135 clicks per month, as per Google Analytics! Thank you for your support! 🎉

GitLab Security Breach Exposes 17,000+ Secrets in Public Repositories

johny899

New Member
Content Writer
Messages
974
Reaction score
3
Points
23
Balance
$1,220.8USD
I just found out something that shocked me! According to a security analysis of public GitLab repositories, there were over 17,000 records of high-profile secret keys and passwords exposed freely on the web. How are there still that many exposed secrets?

Here is what happened​

A security analyst conducted a scan of approximately 5.6 million public GitLab Projects. The security analyst used the tool TruffleHog to scan Gitlab Projects to look for secret keys and passwords that had been left open to hackers. The analysis took just over 1 day to complete, and 17,430 keys and passwords were discovered to belong to various companies/services.

What kind of secrets were discovered​

The secret keys and passwords that were discovered were of many types, including:
  • Google Cloud (more than 5,000)
  • MongoDB Database Passwords
  • Telegram Bot Tokens
  • GitLab Personal Access Tokens
  • OpenAI API Keys
Some of the leaked keys/passwords were from as far back as 2009, and still were in working order. That was a major surprise to me; that an old piece of code could still be used to gain access.

This is an alarming situation​

What if someone obtained your API key or database password? They would have the ability to:
  • Steal the information and data within your cloud account(s)
  • Hack into your cloud accounts
  • Take down your cloud services
  • Use any of their accounts to host costly services
  • Disseminate virus software via software updates
Placing secrets publicly is like leaving your keys in your front door for passers-by to see.

How to avoid doing this as a Developer​

If you're a coder or collaborate with other coders, always follow these basic rules:
  • Never include passwords or API keys within your code
  • Always utilize code-scrubbing applications that detect secrets prior to publishing
  • Intentionally remove/change/move any key that becomes known to you (immediately).
  • Regularly review previous versions of source code to validate that older mistakes haven't been replicated.
  • Use secret storage tools/environment variables, or both.
Trust me, I was able to locate an API key stored in source code for one of my own apps and consider myself fortunate because nobody discovered it before I did.

My thoughts​

I see this as a bit of a wakeup call. We are under the impression that only large businesses can be hacked, but that is not true. Even a simple error can lead to serious repercussions. If an individual with a laptop can search through millions of repositories in a single day, think of how quickly and easily an attacker could penetrate these sites!

Final comments​

A summary of what to take away:

• There are now over 17,000 secret keys publicly available in GitLab repositories.
• Many of these keys are still usable and thereby, dangerous.
• Anyone is capable of using these keys.
• We need to be vigilant about maintaining the confidentiality of our secret keys and vetting the code we generate
 
You must log in or register to reply here.
Menu
Log in
Register