Security Experts:

"Truffle Hog" Tool Detects Secret Key Leaks on GitHub

A free and open source tool called “Truffle Hog” can help developers check if they have accidentally leaked any secret keys through the projects they publish on GitHub.

Truffle Hog is a Python tool designed to search repositories, including the entire commit history and branches, for high-entropy strings that could represent secrets, such as AWS secret keys.

“This module will go through the entire commit history of each branch, and check each diff from each commit, and evaluate the shannon entropy for both the base64 char set and hexidecimal char set for every blob of text greater than 20 characters comprised of those character sets in each diff,” explained Dylan Ayrey, the tool’s developer. “If at any point a high entropy string >20 characters is detected, it will print to the screen.”

As Reddit users have pointed out in a discussion about TruffleHog, bots often scan GitHub in search of secret keys that can be abused for malicious AWS instances. Since these types of activities have often resulted in bills of thousands of dollars that Amazon ended up refunding, the cloud services provider has taken a proactive approach and has temporarily blocked AWS accounts whose secret keys are found in a public repository.

Ayrey is also known for the demo he created last year to warn users about the risks of “Pastejacking.” These types of attacks rely on JavaScript to manipulate the content of the clipboard and trick people into pasting and possibly executing malicious code while making them believe that the code they copied into the clipboard is harmless.

Truffle Hog already has more than 700 stars on GitHub, making it Ayrey’s second most popular project after Pastejack.

Security experts have often warned developers who publish their projects on GitHub about the risks of leaking sensitive data through their code. In January 2013, GitHub introduced a new internal search feature that made it easy to find passwords, encryption keys and other data. At the time, users discovered thousands of such secrets on GitHub.

More recently, experts warned Slack bot developers that they were unknowingly exposing sensitive data, including business-critical information, by publishing their Slack access tokens on GitHub.

Related Reading: UK's GCHQ Spy Agency Launches Open Source Data Analysis Tool

Related Reading: Google Launches OSS-Fuzz Open Source Fuzzing Service

Related Reading: Facebook's "Osquery" Security Tool Available for Windows

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.