Massive GitHub analysis reveals 10 million secrets hidden in 1 billion commits

GitGuardian scanned 1.027 billion new GitHub commits in 2022 (+20% compared to 2021) and found 10,000,000 secrets occurrences (+67% compared to 2022). What is interesting beyond this ever-increasing number is that 1 code author out of 10 exposed a secret in 2022.

Hard-coding secrets

The widespread belief that hard-coded secrets are primarily committed by junior developers is a misconception. In truth, any developer, regardless of their level of experience or seniority, can fall into this practice.

Frequently, hard-coding secrets occurs because it is more convenient rather than due to a deficiency of knowledge or ability. Senior developers, who may only be testing a database connection or an endpoint, experience significant pressure to complete tasks quickly to satisfy business requirements.

Secrets represent more than just credentials; they serve as a secure binding force that connects the various elements of modern software supply chains, spanning from code to cloud. Due to their critical role, they have emerged as the most coveted information for attackers. Despite their significance, several data breaches that transpired in 2022 highlighted the inadequacy of their protection.

“Regarding the type of exposed secrets, more cloud provider keys are being leaked. Generally, there are not many positives from what we saw in our analysis, but one positive comes from AWS. They’re scanning GitHub for their credentials, and they are quarantining the credentials that they find. This resulted in a decrease in time exposed AWS credentials are available on GitHub. That model would work well if widely adopted,” Mackenzie Jackson, Developer Advocate at GitGuardian, told Help Net Security in a conversation.

Exploiting secrets

Two recent examples illustrate how secrets can be exploited in an attack:

• Uber An attacker breached Uber and used hard-coded admin credentials to log into Thycotic, the firm’s Privileged Access Management platform. They pulled a full account takeover on several internal tools and productivity applications.
• CircleCI an attacker leveraged malware deployed to a CircleCI engineer’s laptop to steal a valid, 2FA-backed SSO session. They could then exfiltrate customer data, including customer environment variables, tokens, and keys.

Monitoring GitHub in real-time

Live monitoring on GitHub has identified that over 80% of all exposed secrets are present in developers’ personal repositories, and a considerable portion of them are actually classified as corporate secrets.

Several theories have been proposed to explain this phenomenon. Of course, malicious behaviors cannot be discarded, including hijacking corporate resources and other shady motives. But the sheer scale of the phenomenon hints at something else: most of this happens because error is human and misconfiguring Git is easy.

Like other security issues, poor secrets management involves the typical trio of people, processes, and tools. If organizations intend to address the problem of scattered secrets effectively, they must tackle all three areas simultaneously.