Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

“Truffle Hog” Tool Detects Secret Key Leaks on GitHub

A free and open source tool called “Truffle Hog” can help developers check if they have accidentally leaked any secret keys through the projects they publish on GitHub.

A free and open source tool called “Truffle Hog” can help developers check if they have accidentally leaked any secret keys through the projects they publish on GitHub.

Truffle Hog is a Python tool designed to search repositories, including the entire commit history and branches, for high-entropy strings that could represent secrets, such as AWS secret keys.

“This module will go through the entire commit history of each branch, and check each diff from each commit, and evaluate the shannon entropy for both the base64 char set and hexidecimal char set for every blob of text greater than 20 characters comprised of those character sets in each diff,” explained Dylan Ayrey, the tool’s developer. “If at any point a high entropy string >20 characters is detected, it will print to the screen.”

As Reddit users have pointed out in a discussion about TruffleHog, bots often scan GitHub in search of secret keys that can be abused for malicious AWS instances. Since these types of activities have often resulted in bills of thousands of dollars that Amazon ended up refunding, the cloud services provider has taken a proactive approach and has temporarily blocked AWS accounts whose secret keys are found in a public repository.

Ayrey is also known for the demo he created last year to warn users about the risks of “Pastejacking.” These types of attacks rely on JavaScript to manipulate the content of the clipboard and trick people into pasting and possibly executing malicious code while making them believe that the code they copied into the clipboard is harmless.

Truffle Hog already has more than 700 stars on GitHub, making it Ayrey’s second most popular project after Pastejack.

Security experts have often warned developers who publish their projects on GitHub about the risks of leaking sensitive data through their code. In January 2013, GitHub introduced a new internal search feature that made it easy to find passwords, encryption keys and other data. At the time, users discovered thousands of such secrets on GitHub.

More recently, experts warned Slack bot developers that they were unknowingly exposing sensitive data, including business-critical information, by publishing their Slack access tokens on GitHub.

Related Reading: UK’s GCHQ Spy Agency Launches Open Source Data Analysis Tool

Related Reading: Google Launches OSS-Fuzz Open Source Fuzzing Service

Related Reading: Facebook’s “Osquery” Security Tool Available for Windows

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.