Connect with us

Hi, what are you looking for?


Application Security

Thousands of Popular Websites Leaking Secrets

Truffle Security has discovered thousands of popular websites leaking their secrets, including .git directories and AWS and GitHub keys.

Code security firm Truffle Security warns that thousands of the domains in the Alexa top 1 million websites list are leaking secrets, including credentials.

According to the company, which provides an open source secret-scanning engine, 4,500 of the analyzed websites exposed their .git directory.

Created when a Git repository is initialized, a .git directory includes all the information necessary for a project, including code commits, file paths, version control information, and more.

In the case of some websites, Truffle Security notes, this directory can include their entire private source code. Exposed .git directories could provide attackers with access to the entire source code, configuration files, commit history, and access credentials.

“Attackers could use this inside knowledge to mount an attack against the victim’s web application or search the code for live credentials to third-party services like AWS,” the security firm says.

An analysis of the exposed credentials has revealed that AWS and GitHub keys were the most prevalent type of leaked secrets, accounting for 45% of all credentials.

According to Truffle Security, an explanation for the large number of exposed GitHub tokens is the fact that they are often stored in the Git config file during remote repository cloning.

Advertisement. Scroll to continue reading.

“Third-party email marketing services (like Mailgun, SendInBlue, Mailchimp, and Sendgrid) accounted for a large percentage of the leaked keys as well,” the company notes.

Looking into the exposed GitHub credentials, Truffle Security discovered that roughly 67% of them were for accounts with admin-level privileges.

“All (100%) had repo permissions, which would enable an attacker to take arbitrary actions against all of the victim user’s repositories, including, but not limited to implanting malware in the code,” the security firm explains.

Further analysis of the identified secrets revealed the exposure of a private RSA key corresponding to a domain’s TLS certificate, potentially allowing attackers to conduct man-in-the-middle attacks.

Truffle Security says it attempted to contact all impacted site owners after identifying and verifying the exposed secrets, but notes that the endeavor was not successful in all cases.

“Our research was purposefully narrow in scope. […] There are millions and millions more websites to review. Also, it’s not uncommon for developers to expose a git directory outside of the web root directory,” Truffle Security notes.

“We only reported verified live secrets, meaning we have extremely high confidence the secrets can be used by an attacker. There are many additional secret types that require users to verify them with an on-premise application/server,” the security firm adds.

Related: ‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks

Related: Cloudflare Unveils New Secrets Management Solution

Related: GitHub Secret Scanning Now Generally Available

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.