Black Hat Developer

Git secrets

Git secrets

Black Hat Developer's photo
Black Hat Developer
Apr 4, 2023·

2 min read

Inspired by searching for secrets from DockerHub.com, I started to think if I can find secrets inside Git.

Git-reflog

Git-reflog was my first thought. If you never heard about git reflog, read about it! To make the story short: it is the mechanism inside git, to record ALL activities inside the local repository, eg. you can find deleted branches there.

The potential could be very big, but unfortunately, reflog is not being pushed to public repositories in GitHub, GitLab, and BitBucket.

GitHub API

You can search for a GitHub repository by calling API, eg.

https://api.github.com/search/code?q=aws+language:java&sort=updated&per_page=100&page=1

Limitations

Your request needs to be authenticated. Still, there is some rate limit mechanism for API calls.

Additionally, results appear 5 minutes after pushing to GitHub.

Raw

An interesting concept is a raw access to files, eg:

https://raw.githubusercontent.com/spring-projects/spring-boot/main/build.gradle

From my tests, it looks like it appears some minutes after the file is pushed to Github, and changes are reflected in the raw link after 1 minute after the push. So if somebody pushes a secret by mistake, it will be visible there for 1 minute.

Secrets alerts

From the article, I can see that GitHub enabled secret scanning for secrets. It makes secret searching almost impossible inside GitHub.com

Summary

Github.com is the biggest player in the open-source repository on the market. But there are still some other players that are not so well secured.

Monetization

Like in the previous thinking process, my biggest problem is, how to monetize such secrets. As I have proven, mining Monero cryptocurrency on AWS is a joke (around 1% of the return of invested money). You may say, it is not your money, but to earn $1k, you need to use around $100k of AWS resources. For me, the profit is too small.

Ideas

Do you have a good idea of how to monetize secrets found in the Docker images found on DockerHub.com? Let me know!

Contact

Let me know in the comments, what you think about this topic!

You can also write a direct message to me: black.hat.developer.online@gmail.com

GitHubGitSecurityhacking