An interesting look at one of the consequences of using git and public repo's.

Does leave me wondering how long before someone has a setup which detects and tries to exploit these in real-time, which feels like it could be nasty.

Also a challenge with these posts is they were unlikely to have been able to contact all the affected developers who have got exposed secrets, meaning that any that were uncontactable/non-responsive are likely still vulnerable now, I'd guess that means they're about see what happens if those secrets get abused, as people start exploring this more...

▲

matsemann a day ago | parent | next [-]

There are hundred of setups like that already. If you push an AWS key or similar publicly you may have a bitcoin miner or botnet running on your cloud in matter of minutes.

▲

raesene9 a day ago | parent | next [-]

The point here being the blog is about looking for oops commits to spot keys that would otherwise not necessarily be picked up automatically...

▲

sunbum a day ago | parent | prev [-]

Nope. Because if you push an AWS key then it gets automatically revoked by AWS.

	▲	matsemann a day ago \| parent \| next [-]
		AWS was just an example, but it kinda proves my point though, that people are already monitoring this ;)
	▲	larntz a day ago \| parent \| prev [-]
		I wouldn't rely on anything other than rotating leaked credentials.

▲

hboon a day ago | parent | prev [-]

There are already people scanning git repos for Bitcoin/Ethereum/crypto keys and exploiting them immediately.

	▲	raesene9 a day ago \| parent \| next [-]
		There's a lot of secret classes that aren't necessarily automatically scanned for. The Oops commit is a good signal that something shouldn't have been committed, even if automated scanners don't get it.
	▲	2OEH8eoCRo0 a day ago \| parent \| prev [-]
		Not just Git either. Push a container to Docker Hub and you'll get instant downloads. Presumably people scanning containers for secrets.