"Thousands of Popular Websites Leaking Secrets"

Security researchers at Truffle Security warn that thousands of the domains in the Alexa top 1 million websites list are leaking secrets, including credentials.  The researchers noted that 4,500 of the analyzed websites exposed their .git directory.  Created when a Git repository is initialized, a .git directory includes all the information necessary for a project, including code commits, file paths, version control information, and more.  In the case of some websites, the researchers noted, this directory can include their entire private source code.  Exposed .git directories could provide attackers with access to the entire source code, configuration files, commit history, and access credentials.  The researchers stated that attackers could use this inside knowledge to mount an attack against the victim’s web application or search the code for live credentials to third-party services like AWS.  An analysis of the exposed credentials has revealed that AWS and GitHub keys were the most prevalent type of leaked secrets, accounting for 45% of all credentials.  According to the researchers, an explanation for the large number of exposed GitHub tokens is the fact that they are often stored in the Git config file during remote repository cloning.  The researchers noted that third-party email marketing services (like Mailgun, SendInBlue, Mailchimp, and Sendgrid) accounted for a large percentage of the leaked keys as well.  Looking into the exposed GitHub credentials, the researchers discovered that roughly 67% of them were for accounts with admin-level privileges.  All (100%) had repo permissions, which would enable an attacker to take arbitrary actions against all of the victim user’s repositories, including, but not limited to, implanting malware in the code.  Further analysis of the identified secrets revealed the exposure of a private RSA key corresponding to a domain’s TLS certificate, potentially allowing attackers to conduct man-in-the-middle attacks.  The researchers stated that they attempted to contact all impacted site owners after identifying and verifying the exposed secrets but noted that the endeavor was not successful in all cases.

SecurityWeek reports: "Thousands of Popular Websites Leaking Secrets"