Web Security 20220926


One boring day during the pandemic, security researcher Craig Hays decided to do an experiment. He wanted to leak an SSH username and password into a GitHub repository and see if any attacker might find it. Hays thought he'd have to wait a few days, maybe a week, before anyone noticed it. Reality proved more brutal. The first unauthorized login happened within 34 minutes. "The biggest eye-opener for me was how quickly it was exploited," he tells CSO.

Over the first 24 hours, six different IP addresses connected to his honeypot a total of nine times. One attacker tried to install a botnet client, while another one attempted to use the server to launch a denial-of-service attack. Hays also saw someone who wanted to steal sensitive information from the server and someone else who was just looking around.

The experiment showed him that threat actors are constantly scanning GitHub and other public code repositories looking for sensitive data developers leave behind. The volume of secrets, including usernames, passwords, Google keys, development tools, or private keys, keeps rising as companies transition from on-premises software to the cloud and more developers work from home.

Hackers know GitHub is a great place to find sensitive information, and organizations such as the United Nations, Equifax, Codecov, Starbucks, and Uber have paid the price of negligence. Some companies might argue that they are not at risk because they don’t work with open-source code, but the truth is more nuanced; developers often use their personal repository for work projects. According to the State of Secrets Sprawl on GitHub report, 85% of the leaks occur on developers' personal repositories and only the remaining 15% within repositories owned by organizations. 







Getting Started


1] Reconnaissance


2] Offense


3] Defense

Post a Comment