Aqua Security, a provider in the field of Cloud Native Security, publishes a new study showing how secret data such as login credentials, API tokens, and passkeys from organizations can remain openly accessible for years in the Git-based infrastructure of most source code management systems (SCMs).
Aqua’s Team Nautilus was able to demonstrate that “phantom secrets” containing this information were exposed in the SCMs of numerous developer platforms. GitHub, GitLab, Bitbucket, and other platforms using such SCMs are affected. This is due to the way even deleted or updated code commits are stored in these systems, meaning that even a one-time mistake by a developer can expose secrets over an extended period to skilled threat actors.
By scanning the 100 most popular organizations on GitHub, encompassing more than 50,000 publicly accessible repositories, Team Nautilus found active secrets from open-source organizations and companies like Cisco and Mozilla that provide access to sensitive data and software. The exposed secrets could lead to significant financial losses, reputational damage, and legal consequences.
Code Once, Expose Forever
Although best practices for secure coding already dictate that secrets should not be hard-coded, many developers continue this practice. They rely on secret scanning tools to ensure these don’t make it into production and often re-release the updated code without these secrets. Phantom secrets exist due to the underlying processes in Git-based SCMs that cause code overwritten or deleted in repositories to remain accessible in the underlying system. Most secret scanners only consider repos accessible via the Git clone command, overlooking nearly 18 percent of secrets.
Mozilla and Cisco Confirm Findings
The exposed secrets found when scanning open GitHub repositories included API tokens from Cisco Meraki and the Mozilla project. Cisco’s security team confirmed the findings: “We discovered privileged Meraki API tokens used by some Fortune 500 companies. These tokens could allow attackers to access network devices, Simple Network Management Protocol secrets, camera recordings, and more, serving as a first foothold for the compromised parties.” The Mozilla project confirmed that “an API token for the Mozilla FuzzManager with read and write permissions” and “an employee’s API token for sql.telemetry.mozilla.org have leaked.” Both leaks were classified as critical. The FuzzManager not only allows access to many potential security vulnerabilities in Firefox and Tor, but the telemetry also enabled access to confidential information about Mozilla products.
Furthermore, Nautilus found an Azure Service Principal token belonging to a large healthcare company exposed in a Git commit. This token had high privileges and access to obtain credentials for the internal Azure Container Registry, which could have tempted an attacker to conduct a supply chain attack affecting the company and its customers. In all cases, the exposed secrets were immediately revoked.
“Our findings are alarming, and it’s very important that everyone involved in software development understands the seriousness of this issue,” says Yakir Kadkoda, Aqua Nautilus Lead Security Researcher. “For years, we’ve been urging developers not to embed secrets in their code. Now it turns out that even if they do this just once, the secret is permanently exposed – even if they thought it was deleted or overwritten. The impacts of a leak in sensitive data can include unauthorized access, compromised security controls, significant financial losses, or reputational damage.”
“The findings once again reinforce the best practice that secrets should never be inserted into code, not even for testing purposes. And security teams must be able to monitor this,” says Amir Jerbi, CTO and co-founder of Aqua Security. “The software supply chain is optimized for speed and convenience, but this must not come at the expense of secure development practices.”
(lb/Aqua Security)