New Frontiers in GitHub Secret Snatching
12 Aug 2022
Comprehensive Talk
New Frontiers in GitHub Secret Snatching
Tillson Galloway
Abstract
Even after years of scolding from security teams around the world, GitHub remains a developer's favorite place to post passwords, API tokens, and proprietary information. While these leaks have been well-studied for more than three years, gaps still remain in the process of uncovering these leaks. Many techniques for secret searching only consider entities with strong connections companies––users who belong to the company's org and repositories that are posted by the org itself. Most secrets have loose connections with the organization––users that post their dotfiles and configs, for example. By combining a breadth-first approach to GitHub searching along with heuristics for eliminating false positives, we are able to more effectively find secrets. We highlight recent work in the area of secret sprawl and present a new technique to find secrets across GitHub.
This talk is the first to provide the following:
- A new, breadth-first technique to find secrets across GitHub
- Strategies for false-positive reduction that can be applied to both source code + other OSINT tools
- Insight into the root causes of leaks– what types of repos are more likely to be posted?