Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

“Truffle Hog” Tool Detects Secret Key Leaks on GitHub

A free and open source tool called “Truffle Hog” can help developers check if they have accidentally leaked any secret keys through the projects they publish on GitHub.

A free and open source tool called “Truffle Hog” can help developers check if they have accidentally leaked any secret keys through the projects they publish on GitHub.

Truffle Hog is a Python tool designed to search repositories, including the entire commit history and branches, for high-entropy strings that could represent secrets, such as AWS secret keys.

“This module will go through the entire commit history of each branch, and check each diff from each commit, and evaluate the shannon entropy for both the base64 char set and hexidecimal char set for every blob of text greater than 20 characters comprised of those character sets in each diff,” explained Dylan Ayrey, the tool’s developer. “If at any point a high entropy string >20 characters is detected, it will print to the screen.”

As Reddit users have pointed out in a discussion about TruffleHog, bots often scan GitHub in search of secret keys that can be abused for malicious AWS instances. Since these types of activities have often resulted in bills of thousands of dollars that Amazon ended up refunding, the cloud services provider has taken a proactive approach and has temporarily blocked AWS accounts whose secret keys are found in a public repository.

Ayrey is also known for the demo he created last year to warn users about the risks of “Pastejacking.” These types of attacks rely on JavaScript to manipulate the content of the clipboard and trick people into pasting and possibly executing malicious code while making them believe that the code they copied into the clipboard is harmless.

Truffle Hog already has more than 700 stars on GitHub, making it Ayrey’s second most popular project after Pastejack.

Security experts have often warned developers who publish their projects on GitHub about the risks of leaking sensitive data through their code. In January 2013, GitHub introduced a new internal search feature that made it easy to find passwords, encryption keys and other data. At the time, users discovered thousands of such secrets on GitHub.

More recently, experts warned Slack bot developers that they were unknowingly exposing sensitive data, including business-critical information, by publishing their Slack access tokens on GitHub.

Advertisement. Scroll to continue reading.

Related Reading: UK’s GCHQ Spy Agency Launches Open Source Data Analysis Tool

Related Reading: Google Launches OSS-Fuzz Open Source Fuzzing Service

Related Reading: Facebook’s “Osquery” Security Tool Available for Windows

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.