Developers are posting their credentials online. I chose to warn them instead of hacking them

Recently I started playing with GitHub dorks and asked myself how a black-hat hacker could exploit these in a large scale attack.

Dorking is a term that refers to the practice of applying advanced search techniques and specialized search engine parameters to discover confidential information from companies and individuals that wouldn’t typically show up during a normal web search.

It quickly became clear that it’s harder to find stuff on GitHub because of programmers (:

Here are some example of what I found when I searched for all commits named “Remove password”

It’s easy to get your attention
ASCII Goatse

Alright so there is a lot of noise in these commits. You can find some credentials of course but it would be hard to filter all the noise programmatically. A better approach to find credentials is to search for specific strings in specific files.

I chose to cover the sftp-config.json file which is a file used by the SFTP plugin for Sublime text. This plugin helps developers to manage file transfer and can be used along with SSH.

So let’s search for filename:sftp-config.json password on GitHub

That’s better, we get some freshly published ones. The next step was to automate this. Fortunately the GitHub API offers all I needed.

I iterated over all the commits and only kept the result if

  • The commit was made this year
  • The file contained a password, login & host (discarding people using ssh keys instead of password…)
  • The host was alive(ping)

I got a 121 results, keep in mind this is only for a particular file in a 2 month period and there are a lot of other dorks. It looks like this in my database:

Is that a security company? :’ )

It’s time to switch hat now since legally I’m not allowed to try to connect to these servers. So I thought I was going to warn them instead. GitHub API makes it easy to create an issue on a repository so that’s what I’ve done. Here’s how it looks like:

You’ve been visited by white-hat pepe

Funny enough while publishing my code on GitHub I myself posted my GitHub API token… Oops.

But shortly after that I received this email from GitHub:

We noticed that a valid OAuth access token of yours was committed to a public GitHub repository. Publicly disclosing a valid access token would allow other people to interact with GitHub on your behalf, potentially altering data, your contact information, and billing data.
As a precautionary measure, we have revoked the OAuth token. A new token will need to be generated in order to continue using OAuth to authenticate to GitHub.

Nice… So they’re doing this already but only for GitHub tokens since they have the power to revoke them.

As I’m writing this story I just discovered https://gitleaks.com/ which is a website that makes it even easier to search for credentials. Just type “ssh”, “aws” etc and you get what you’re looking for. It seems that gitleak was suspended in the past and they just resumed the service. In this article about it you can read

Some of the people on the HN thread suggested we should inform the users that a key was being leaked. There is no way we could inform millions of users without being banned from GitHub due to abuse.

And while I agree it wouldn’t be doable for a single individual I think it could work as a community effort. If the community can keep trace of the work done by using a common database then everyone can run the tool and create few issues at a time. Of course this isn’t that easy to put in place. GitLeaks also offers a service to check your own GitHub account for such leaks. A good idea but once again it relies on the developers taking action. Maybe a better service would be to actively monitor a user account like GitHub does for it’s tokens. But that’s a lot to ask for a free service…

Feel free to fork my project on GitHub

More by @MisterCh0c

Topics of interest

More Related Stories