A new web app, called “Shhgit”, will scan the web-based GitHub code repository and search for sensitive secrets, such as private crypto keys.
Scanning for private crypto keys and passwords
On Oct. 17, programmer and security expert Paul Price introduced his new tool, Shhgit. Shhgit scans for secrets across public code repositories that sometimes end up in the hands of bad actors and ultimately have the potential to cause significant data breaches.
Price said that finding these potentially harmful secrets across GitHub is nothing new. According to the programmer, there are tons of open-source tools available, such as gitrob and truggleHog, which all dig into “commit history to find secret tokens from specific repositories, users or organisations.”
Price added that software developers, who sometimes unwillingly leak secrets across public code repositories, should ensure secrets don't end up in their code base in the first place. At a minimum, Price said, “config files should be encrypted with a environment-based key.”
Although scanning for secrets in public code repositories has existed since the launch of GitHub, some recent data breaches, such as the Capital One hack that left the personal data of over 100 million individuals exposed, show severe implications of faulty security that can lead to reputational damage and huge fines.
Price states that his tool can help in finding any secrets accidentally committed in real time, which should give developers the time to delete any sensitive information before hackers can have a field day with anybody’s private information.
Bitcoin has never been hacked
In July, Paige Thompson allegedly stole the confidential data for around 106 million Capital One customers' accounts and credit card applications. The hacker allegedly gained access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, as well as data pertaining to customers’ credit scores, credit limits and balances.