alt Hacker NewsI’m surprised that GitHub, OpenAI etc. doesn’t have automation to scan the usual surfaces for hashes of their access tokens.
It seems like a cheap and simple thing to offer your customers a little extra safety.
Anybody interested in starting a platform agnostic service to do this?
Replies
For things pushed to github, github has quite sophisticated secret scanning. They have a huge list of providers where they will automatically verify if a potential key is real and revoke it automatically [2], and a smaller list of generic patters they try to match if you enable the matching of "non-provider patterns".
This seems to be a case of someone accidentally publishing their github token somewhere else. I'm not sure how github would cheaply and easily prevent that. Though there are third party tools that scan your web presence for secrets, including trying wordlists of common files or directories
1: https://docs.github.com/en/code-security/secret-scanning/int...
2: https://docs.github.com/en/code-security/secret-scanning/int...
They do scan but they miss a lot. The frequency decreased after Github started scanning all repositories but I still report leaked secrets to bug bounty programs pretty often. Unfortunately Home Depot don't have a bug bounty program so I don't scan them.
Where was this token found, in an open source repo? There are numerous ways to scan commits, for free even in open source repos: https://docs.github.com/en/code-security/secret-scanning/int...
They at least scan GitHub for all kind of exposed tokens in public repositories, and even have partnerships with the companies where you can connect with those tokens (SaaS, PaaS...) to verify they're valid and even revoke them automatically if necessary.
I think there are crawlers that do that. Somehow I accidentally had a commit with an openai key in it, and when I published an open source repo with that commit within ~20 seconds I got an email from openai someone had retired my exposed key.
The article doesn’t say where the Home Depot token was published. Almost certainly not on GitHub or it would have been invalidated. But AFAIK GitHub doesn’t crawl other sites looking for GitHub tokens. I suppose Microsoft could provide GitHub a feed of GitHub tokens found by their Bing crawlers.
They definitely do have automation to scan for this already. I've seen plenty of alerts (fortunately all false positives that triggered on example keys that weren't real). I don't know how comprehensive it is, but it does exist.
GitHub does! They tell you when you pushed something dangerous almost right away.
GitHub Advanced Security blocks the push, I believe.
GitHub already has a program to scan for keys, since publishing Discord tokens by mistake used to get the token immediately revoked and a DM from the system account saying why