Security News > 2024 > June > Developer errors lead to long-term exposure of sensitive data in Git repos

By scanning the most popular 100 organizations on GitHub, which collectively includes more than 50,000 publicly accessible repositories, researchers found active secrets from open source organizations and enterprises such as Cisco and Mozilla providing access to sensitive data and software.

The exposed secrets could lead to significant financial losses, reputational damage, and legal consequences.

This is due to the way in which even deleted or updated code commits are saved in those systems, such that even a one-time developer mistake can expose secrets to savvy threat actors over extended periods.

"For years, we've been educating developers not to hard-code secrets into their code. Now it turns out that even doing this just once permanently exposes that secret - even when they thought it was deleted or overwritten. The impact of a sensitive data leak can lead to unauthorized access, compromised security controls and significant financial or reputational damage. This would be devastating," Kadkoda continued.

The Cisco security team confirmed the findings: "We discovered privileged Meraki API tokens used by some Fortune 500 companies. These tokens could allow attackers to access network devices, Simple Network Management Protocol secrets, camera footage, and more, serving as an initial foothold for the exposed parties."

Most secrets scanners only look at repos accessible via the Git clone command, which overlooks almost 18% of secrets.

News URL

https://www.helpnetsecurity.com/2024/06/26/git-exposed-secrets/