Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

GitHub Now Scans Commits for Atlassian, Dropbox, Discord Tokens

Microsoft-owned GitHub on Monday announced that its token scanning service will also check commits for Atlassian, Dropbox, Discord, Proctorio and Pulumi tokens that have been accidentally shared.

Microsoft-owned GitHub on Monday announced that its token scanning service will also check commits for Atlassian, Dropbox, Discord, Proctorio and Pulumi tokens that have been accidentally shared.

Third-party token scanning was introduced by GitHub in October 2018 and became generally available in May. The service scans public repositories for accidentally committed tokens and alerts the company that issued the token so that it can be revoked before it’s used for malicious purposes.

GitHub initially scanned commits for token formats associated with Alibaba Cloud, AWS, Azure, Google, Mailgun, npm, Slack, Stripe and Twilio. The company said on Monday that it has also added Atlassian, Dropbox, Discord, Proctorio and Pulumi to the list of partners.

“Now if you accidentally check in a token for products like JIRA or Discord, the provider gets notified about a potential match within seconds of check-in, allowing them to revoke the token before it’s used maliciously,” explained Justin Hutchings, senior product manager at GitHub.

GitHub exposed token warning

According to GitHub, roughly one billion tokens have been sent to its scanning partners for validation since the launch of the service.

The company has advised cloud and API service providers interested in ensuring that their tokens don’t become compromised to reach out and sign up to become a partner. The process involves defining a regular expression to match their token format, setting up an API endpoint, and some paperwork.

Related: Slack Tokens Leaked on GitHub Put Companies at Risk

Related: Leaked GitHub API Token Exposed Homebrew Software Repositories

Advertisement. Scroll to continue reading.

Related: GitHub Adds New Tools to Help Developers Secure Code

Related: Cybercriminals Using GitHub to Host Phishing Kits

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...