Code security firm Truffle Security warns that thousands of the domains in the Alexa top 1 million websites list are leaking secrets, including credentials.
According to the company, which provides an open source secret-scanning engine, 4,500 of the analyzed websites exposed their .git directory.
Created when a Git repository is initialized, a .git directory includes all the information necessary for a project, including code commits, file paths, version control information, and more.
In the case of some websites, Truffle Security notes, this directory can include their entire private source code. Exposed .git directories could provide attackers with access to the entire source code, configuration files, commit history, and access credentials.
“Attackers could use this inside knowledge to mount an attack against the victim’s web application or search the code for live credentials to third-party services like AWS,” the security firm says.
An analysis of the exposed credentials has revealed that AWS and GitHub keys were the most prevalent type of leaked secrets, accounting for 45% of all credentials.
According to Truffle Security, an explanation for the large number of exposed GitHub tokens is the fact that they are often stored in the Git config file during remote repository cloning.
“Third-party email marketing services (like Mailgun, SendInBlue, Mailchimp, and Sendgrid) accounted for a large percentage of the leaked keys as well,” the company notes.
Looking into the exposed GitHub credentials, Truffle Security discovered that roughly 67% of them were for accounts with admin-level privileges.
“All (100%) had repo permissions, which would enable an attacker to take arbitrary actions against all of the victim user’s repositories, including, but not limited to implanting malware in the code,” the security firm explains.
Further analysis of the identified secrets revealed the exposure of a private RSA key corresponding to a domain’s TLS certificate, potentially allowing attackers to conduct man-in-the-middle attacks.
Truffle Security says it attempted to contact all impacted site owners after identifying and verifying the exposed secrets, but notes that the endeavor was not successful in all cases.
“Our research was purposefully narrow in scope. […] There are millions and millions more websites to review. Also, it’s not uncommon for developers to expose a git directory outside of the web root directory,” Truffle Security notes.
“We only reported verified live secrets, meaning we have extremely high confidence the secrets can be used by an attacker. There are many additional secret types that require users to verify them with an on-premise application/server,” the security firm adds.