A single hardcoded password is like leaving a digital landmine. Still, developers remain trapped in a false sense of security.
Even though data breaches are on the rise, developers are still refusing to be cautious. Whether due to oversight in the frenzy of coding or sheer neglect, exposing plaintext credentials – such as API keys, passwords, and authentication tokens – creates significant security risks.
Security firm GitGuardian has revealed that throughout 2024, developers committed code to GitHub with over 23 million new hardcoded secrets. Hardcoding means directly embedding sensitive information into the code – cybersecurity experts have flagged the practice as unsafe.
Despite GitHub’s efforts to prevent secret leaks at the push phase of the code, the current research showed there has been a 25% surge in leaks from last year.
What secrets are leaked the most?
So-called generic secrets are the fastest-growing group of secrets that developers are failing to protect, constituting a striking 58% of all leaked secrets.
Leaked secrets include:
- Hardcoded passwords embedded in source code
- Database connection strings
- Custom authentication tokens
- Encryption keys stored in plaintext
This is troublesome, as generic secrets include hardcoded passwords and database credentials, which are harder to detect and remediate due to their lack of standardized patterns. For example, these secrets can bypass GitHub’s built-in secret scanning.
MongoDB, a widely used open-source document database, continues to be a major source of leaked credentials this year, accounting for 18.8% of detected secrets in public repositories, compared to just 3.9% in private ones.
Telegram bot tokens represented 6.3% of the secrets found in public repositories, but were virtually nonexistent in private repositories. This aligns with the fact that most enterprises do not integrate Telegram into their workflows.
Developers still rely on repository privacy to protect them
Researchers found that private repositories are eight times more likely to contain hardcoded secrets. Thirty-five percent of all private repositories scanned contained at least one plaintext credential.
A private repository on GitHub stores code and files that are only accessible to people with granted access, in contrast to the public ones. Almost three-quarters of all leaked secrets in these repositories were generic.
“We compared our findings from public GitHub with anonymized customer data. The data shows developers treat secrets in public code differently than in private code,” the report reads.
“The trend suggests that organizations may be relying on “security through obscurity,” assuming that because their repositories are private, the secrets contained within them are safe,” say the researchers.
In private repositories, 24% of all generic secrets found were generic passwords, versus 9% of all the generic secrets found in public repositories.
While the repository's private status creates a false sense of safety, attackers who gain access to it can easily exploit leaked secrets to expand their reach and move laterally across systems without anyone stopping them.
Leaky iOS apps
Leaking secrets is a widespread problem affecting various platforms and applications. Cybernews's newly conducted research on iOS applications shows that no one is safe from exposed secrets.
The Cybernews research team analyzed more than 156,000 apps and revealed more than 815,000 leaked hardcoded secrets. The results show that most apps on Apple’s App Store seem to leak at least one hard-coded secret, including high-sensitivity secrets such as keys to cloud storage, various APIs, and even payment processors.
Your email address will not be published. Required fields are markedmarked