Hacker analyzes “deleted” data on GitHub, scores $25K in bug bounties


GitHub commits are never truly deleted, and some developers are discovering this the hard way. White-hat hacker Sharon Brizinov scanned “deleted” GitHub dangling commits and found thousands of secrets granting even admin access to all developers’ repositories, earning $25,000 in bounties in the process.

Developers often use force pushes on GitHub to remove previous mistakes. However, they often forget that Git history retains everything, even when files are removed.

The security researcher correctly assumed that the leftover dangling commits, kept by GitHub “forever,” may contain very sensitive secrets.

ADVERTISEMENT

“I scanned every force push event since 2020 and uncovered secrets worth $25k in bug bounties,” Brizinov details in the Truffle Security blog post.

Even more surprising is that the white-hat hacker used a “vibe-coded” (AI-generated) tool to scan GitHub and uncover thousands of active secrets.

Leaking MongoDB secrets were the most prevalent (1,247), but Brizinov also obtained hundreds of TelegramBotTokens, Postgres, Infura, OpenWeather, and AWS secrets. Developers inadvertently exposed 162 secret types.

More than half of the leaked credentials were found in exposed .env files, leaving the other half for the rest of the filenames, such as index.js, application.properties, app.js, server.js, and others.

exposed-secrets-filetypes-github
Image by Sharon Brizinov / Truffle Security

“The most interesting leaked secrets were GitHub PAT tokens and AWS credentials. These also generated the highest bounties!” Brizinov said.

The active secrets are extremely sensitive and could lead to major security breaches.

One of the findings was a GitHub PAT token, granting admin access to all the repositories belonging to the developer Istio. The Istio project is widely used for managing and securing microservices. It has 36,000 stars and 8,000 forks. The potential supply-chain compromise could affect major corporations like Google, IBM, RedHat, and others.

ADVERTISEMENT

“I could have read environment variables, changed pipelines, pushed code, created new releases, or even deleted the entire project. The potential for a mass supply-chain attack here was scary,” Brizinov explains.

exposed-secrets-github
Image by Sharon Brizinov / Truffle Security

Brizinov previously made an additional $64,000 from deleted files on GitHub. The follow-up research focused on scanning force push events, which often occur when developers “force a change in the current commit’s HEAD ref, effectively overwriting commit history.”

The researcher explains that developers prefer this action when they accidentally commit data containing a mistake, like hard-coded credentials. However, they do not rotate the exposed credentials.

Vibe-coded tool now available for anyone

If you’re feeling lucky, you can now try scanning GitHub with the script Brizinov used. The researcher shared the code on GitHub.

The tool utilizes GitHub’s Event API, which allows users to retrieve information about events that occur within GitHub, and GitHub Archive, a service that listens to GitHub’s event stream and archives it.

“I used vercel v0 to vibe-code a whole platform for triaging these ‘Oops Commit’ secrets,” Brizinov said.

Ernestas Naprys Gintaras Radauskas vilius Niamh Ancell BW
Be the first to know and get our latest stories on Google News

Reviewing discovered secrets remains a manual job, but the researcher expects to automate that later.

ADVERTISEMENT

“This data could then be passed to a LLAMA-based agent that analyzes and identifies potentially valuable secrets.”

Brizinov warns developers to always consider exposed secrets compromised and revoke them immediately.

The researchers have previously warned that everything posted on GitHub remains there indefinitely. In 2024 alone, developers committed code with over 23 million new hardcoded secrets, security firm GitGuardian has discovered.