Thousands of Popular Websites Found Leaking Secrets, Source Code
Code security firm Truffle Security warns that thousands of the domains in the Alexa top 1 million websites list are leaking secrets, including credentials. According to the company, which provides an open source secret-scanning engine, 4,500 of the analyzed websites exposed their .git directory. Created when a Git repository is initialized, a .git directory includes all the information necessary for a project, including code commits, file paths, version control information, and more. In the case of some websites, Truffle Security notes, this directory can include their entire private source code. Exposed .git directories could provide attackers with access to the entire source code, configuration files, commit history, and access credentials. “Attackers could use this inside knowledge to mount an attack against the victim’s web application or search the code for live credentials to third-party services like AWS,” the security firm says. An analysis of the exposed credentials has revealed that AWS and GitHub keys were the most prevalent type of leaked secrets, accounting for 45% of all credentials.