“Shhgit” can scan for private Crypto keys and Passwords
The Web App scans public code repositories like GitHub to search for sensitive information in real-time
Massive hacks of corporate databases, government networks & widespread malware lurking on the Internet highlights the importance of securing one’s digital identity. Just to refresh your memory, the biggest hack of this year left the data of 106 million users in the hands of one nefarious player.
Earlier in July, Paige Thompson, an alleged hacker was arrested for exploiting a misconfigured web application firewall to gain access to personal financial information of credit card issuer Capital One. Ironically though, the company didn’t figure out the hack until it was revealed by the hacker himself on social media channels & uploaded the information on GitHub.
While security breaches are common among the Crypto exchanges as well, hacking a decentralized blockchain network as Bitcoin is way too difficult if not possible. The hacker would need to have access to the private keys of every single digital wallet address on the network. That is probably one of the reasons why the Bitcoin network has never been hacked. But what if these private keys were accessible at a third-party source.
Security expert & programmer has unveiled a new tool Shhgit, which scans for sensitive information like secret keys for third-party services across open-source code repositories like GitHub, GitLab and BitBucket. Finding potentially harmful information across these platforms is nothing new, as we saw in the case of Capital One hack. The personal data records of 106 million customers could have easily fallen into the wrong hands.
According to Price, tons of tools like gitrob and truggleHog are available, which can be used to scan for sensitive & personal information accidentally committed to GitHub, but since this kind of information is usually cleaned up within 24 hours, these tools don’t prove too effective in real life.
This is where Shhgit comes in handy — inspired by gitrob, it scans all the code in repositories like GitHub in real-time to pull out any accidentally released sensitive information before some nefarious player gains access to it. The programmer claims that Shhgit was able to verify secrets across any code within 7 minutes of being committed.
GitHub also uses its own set of tools, scanning for secrets through their token scanning project. The objective is the same, to identify secret tokens in real-time and notify the company of the vulnerability to prevent any abuse. In the real-time comparison testing of token scanning with Shhgit, the latter was found to scan the code much quicker than the former.
On the other hand, companies themselves can do their due diligence to prevent uploading secrets in the first place. Amazon AWS labs use a tool git-secrets to achieve this. If for some reason, it bypasses the tool, GitHub’s token scanning tool should be able to capture the release of any sensitive information & notify Amazon to revoke the access.
The best practices for companies include proper training on secure coding standards, employing encryption techniques, using automated tools to prevent committing secrets & asking the right questions from third-party developers to cover all the bases.