We recently created a small tool to analyze Android apps for secret leaks and this was appreciated in the infosec community. This inspired us to create GitLeaks.com , a search engine for exposed secrets on GitHub, Bitbucket, in Android app clients and later the whole web. We launched a beta version of it on Hacker News for initial feedback. The feedback was mixed with few people objecting to the search functionality and our account upgrade functionalities while others saw this as a cool tool. We disabled search for the time being sensing we have been unable to communicate our intention better.
Some of the people on the HN thread suggested we should inform the users that a key was being leaked. There is no way we could inform millions of users without being banned from GitHub due to abuse. If there is someone who could do this the best, it is Github the platform where the secrets are exposed and with an army of engineers it is a matter of couple of days to do this. We are open to work with GitHub if they would like to make secret leaks detection a feature on their platform.
Another point of discussion was we were “exposing people’s secret” which is funny since the data is public and the secrets are searchable via the GitHub interface. We simply optimised the search to focus on secrets and provided a way to check your own GitHub account for leaks. Shodan, the popular search engine for open ports is seen as a great infosec tool even when it can be used for bad purposes with their paid account. Insecam lists realtime stream of thousands of open IP cameras around the world. Someone writing or publicising that a website does not use HTTPS does not make them a criminal. Products like Shodan, Insecam or GitLeaks will eventually make the world more secure.
Now coming to the paid accounts. We have limited queries to 30 per month for free users who are logged-in. Taking a leaf out of Shodan, we will display only the first page and not two pages as earlier if you are not logged in. Maintaining and working on the search infrastructure costs us real money and the paid accounts are simply a way to cover the costs. If you are feeling generous, please contact us at [email protected] and donate to cover our annual cost and we will stop the paid accounts.
The next point was about abuse by criminals. It would be extremely naive to assume that the bad guys are sitting waiting for products like GitLeaks to come out in order for them to exploit. The best way to go about is always creating awareness and not pushing matters under the rug. We have already limited search results for anonymous accounts to a single page of result and would be denying use from newly created GitHub accounts (accounts created after GitLeaks release) since there is no value for them right now anyway.
Around 10000 people tried to use GitLeaks.com on 17th February. Most of them left disappointed after being greeted with our message of disabled search and pointing to the discussion. We are sorry. GitLeaks is now open and we shall be adding new sources, features and refresh the data over time.