cybersecurity

4610 readers

48 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 2 years ago

MODERATORS

shellsharks

tweedge

How I Scanned all of GitHub’s “Oops Commits” for Leaked Secrets (trufflesecurity.com)

submitted 1 week ago by Pro@programming.dev to c/cybersecurity

0 comments fedilink hide all child comments

GitHub Archive logs every public commit, even the ones developers try to delete. Force pushes often cover up mistakes like leaked credentials by rewriting Git history. GitHub keeps these dangling commits, from what we can tell, forever. In the archive, they show up as “zero-commit” PushEvents.

I scanned every force push event since 2020 and uncovered secrets worth $25k in bug bounties.

Together with Truffle Security, we're open sourcing a new tool to scan your own GitHub organization for these hidden commits (try it here).

no comments (yet)

sorted by: hot top controversial new old

there doesn't seem to be anything here