Inspired by searching for secrets from DockerHub.com, I started to think if I can find secrets inside Git.
Git-reflog was my first thought. If you never heard about git reflog, read about it! To make the story short: it is the mechanism inside git, to record ALL activities inside the local repository, eg. you can find deleted branches there.
The potential could be very big, but unfortunately, reflog is not being pushed to public repositories in GitHub, GitLab, and BitBucket.
You can search for a GitHub repository by calling API, eg.
Your request needs to be authenticated. Still, there is some rate limit mechanism for API calls.
Additionally, results appear 5 minutes after pushing to GitHub.
An interesting concept is a raw access to files, eg:
From my tests, it looks like it appears some minutes after the file is pushed to Github, and changes are reflected in the raw link after 1 minute after the push. So if somebody pushes a secret by mistake, it will be visible there for 1 minute.
Github.com is the biggest player in the open-source repository on the market. But there are still some other players that are not so well secured.
Like in the previous thinking process, my biggest problem is, how to monetize such secrets. As I have proven, mining Monero cryptocurrency on AWS is a joke (around 1% of the return of invested money). You may say, it is not your money, but to earn $1k, you need to use around $100k of AWS resources. For me, the profit is too small.
Do you have a good idea of how to monetize secrets found in the Docker images found on DockerHub.com? Let me know!
Let me know in the comments, what you think about this topic!
You can also write a direct message to me: firstname.lastname@example.org