Enterprise secrets leaked in code management systems
Enterprise secrets could be inadvertently leaking via GitHub repositories, according to new research from Aqua Security.
By scanning the most popular 100 organizations on Github, which collectively includes more than 50,000 publicly accessible repositories, Aqua researchers found active secrets from open source organizations and enterprises such as Cisco and Mozilla providing access to sensitive data and software. The exposed secrets could lead to significant financial losses, reputational damage, and legal consequences.
The research shows that 'phantom secrets' can persist in Git-based infrastructure used by most Source Code Management systems (SCMs), including GitHub, Gitlab, Bitbucket and others. This is due to the way in which even deleted or updated code commits are saved in those systems, such that even a one-time developer mistake can expose secrets to savvy threat actors over extended periods.
"Our findings are truly alarming, and it is crucial that everyone involved in software development grasps the seriousness of this issue," says Yakir Kadkoda, Aqua Nautilus lead security researcher. "For years, we’ve been educating developers not to hard-code secrets into their code. Now it turns out that even doing this just once permanently exposes that secret -- even when they thought it was deleted or overwritten. The impact of a sensitive data leak can lead to unauthorized access, compromised security controls and significant financial or reputational damage. This would be devastating."
Among the exposed secrets found by scanning open Github repositories were API tokens of Cisco Meraki and the Mozilla project. The Cisco security team has confirmed the findings, "We discovered privileged Meraki API tokens used by some Fortune 500 companies. These tokens could allow attackers to access network devices, Simple Network Management Protocol secrets, camera footage, and more, serving as an initial foothold for the exposed parties."
The Mozilla project also acknowledged that, "An API token for the Mozilla FuzzManager with read-write privileges" and, "an employee’s API token for sql.telemetry.mozilla.org was leaked." Both were assigned a 'Critical' score. Not only does the FuzzManager allow access to many potential security vulnerabilities in Firefox and Tor, but the telemetry gave access to confidential information related to Mozilla products and business.
You can find out more on the Aqua blog.
Image credit: Dean Drobot / Shutterstock