"GitHub retains every public commit, even those developers attempt to erase through force pushes, as "zero-commit" PushEvents in its archive. By scanning all of these dangling commits since 2020 using data from GitHub Archive, Brizinov discovered secrets that led to approximately $25,000 in bug bounty rewards, particularly exposing GitHub PATs and AWS credentials that could have led to wide-ranging supply-chain attacks."
"To empower the community, Truffle Security and Brizinov co-developed the Force Push Scanner, an open-source tool that identifies and scans orphaned commits within your GitHub organization or user account. It mines the GH Archive dataset using BigQuery and applies TruffleHog scanning to uncover hidden secrets and vulnerabilities. The findings were staggering: a large volume of active secrets, such as MongoDB credentials and API tokens, were found in .env and common config files."
"The findings were staggering: a large volume of active secrets, such as MongoDB credentials and API tokens, were found in .env and common config files. One particularly alarming case involved a GitHub Personal Access Token with admin permissions over the Istio repositories, posing a massive potential for a supply-chain compromise, though the token was swiftly revoked following responsible disclosure. Community reaction highlights the broader implications: developers and security professionals noted that commits intended to be removed are often still accessible."
GitHub retains public commits even after force pushes or deletions as archived "zero-commit" PushEvents, leaving orphaned commits accessible. Scanning GitHub Archive data since 2020 revealed thousands of exposed secrets, including GitHub Personal Access Tokens and AWS credentials that yielded roughly $25,000 in bug bounty rewards. Truffle Security and Sharon Brizinov released the Force Push Scanner, an open-source tool that mines GH Archive with BigQuery and uses TruffleHog to identify orphaned commits and hidden secrets. Discovered credentials included MongoDB credentials and API tokens in .env and config files, with at least one admin-level token posing major supply-chain risk before revocation.
Read at InfoQ
Unable to calculate read time
Collection
[
|
...
]