Software developers letting secrets slip on GitHub, analyst warns


“To err is human” is the forgiving stance taken by a report that learned one in ten developers posting to expertise-sharing platform GitHub last year accidentally exposed classified data.

Researcher GitGuardian said that of the 13.3 million “distinct authors” who posted to the forum, commonly used by coders and other program developers to share and improve on ideas, 1.35 million “accidentally exposed a secret” – industry jargon for sensitive data not intended for public access.

ADVERTISEMENT

Moreover, of the 61.2 million data repositories that were judged active last year, 2.27 million (3.7%) had leaked data, leading GitGuardian to conclude that “secrets sprawl continues to expand worldwide.”

GitGuardian claims that left unchecked this so-called sprawl could end up compromising even the most prestigious tech firms – it cited as one example the “Hell’s Keychain” glitch detected in computing giant IBM’s cloud databases that “combined three exposed secrets and a network misconfiguration.”

It further claimed that, if discovered and exploited by threat actors, this vulnerability could have left IBM’s cloud-based clients exposed to a third-party supply chain attack.

Don’t blame this on novices

And more experienced developers should not be too quick to blame this kind of leakage on so-called rookies – because letting secrets slip is a mistake anyone can make, stressed GitGuardian.

“It is a common myth that hard-coded secrets are committed mainly by junior developers,” said the researcher. “The reality is that this can happen to any level of developer, regardless of experience or seniority.”

It warned that industry veterans pushed for time trying to meet their employers’ demands could be all too easily pressured into making one crucial mistake that allowed a secret slip out.

“Hard-coding secrets is often a result of convenience rather than a lack of knowledge or skill,” said GitGuardian. “Senior developers, who might be simply testing a database connection or an endpoint, are under tremendous pressure to deliver quickly to meet business demands. They are responsible for many hard-coded secrets too.”

ADVERTISEMENT

Secrets found detectable in hard-coding of programs shared on GitHub included Google application protocol interface (API) keys, GitHub access tokens, Google cloud keys, and company email passwords.

In a related incident, last year the Cybernews research team discovered that millions of .git folders had been left exposed to the public.

More from Cybernews:

Religious school data leaked by threat actors

Woman in a man’s world: how Finnish nursing student became a cybersecurity star

Silicon Valley Bank shuttered by US bank regulators amid investor frenzy

AI is an opportunity for humans rather than machines, author insists

ADVERTISEMENT

Microsoft executive hints at imminent release of GPT-4 with “multimodal” capabilities

Subscribe to our newsletter