“Shhgit” can scan for private Crypto keys and Passwords

The Web App scans public code repositories like GitHub to search for sensitive information in real-time

Faisal Khan
Nov 15, 2019 · 3 min read

Massive hacks of corporate databases, government networks & widespread malware lurking on the Internet highlights the importance of securing one’s digital identity. Just to refresh your memory, the biggest hack of this year left the data of 106 million users in the hands of one nefarious player.

Earlier in July, Paige Thompson, an alleged hacker was arrested for exploiting a misconfigured web application firewall to gain access to personal financial information of credit card issuer Capital One. Ironically though, the company didn’t figure out the hack until it was revealed by the hacker himself on social media channels & uploaded the information on GitHub.

While security breaches are common among the Crypto exchanges as well, hacking a decentralized blockchain network as Bitcoin is way too difficult if not possible. The hacker would need to have access to the private keys of every single digital wallet address on the network. That is probably one of the reasons why the Bitcoin network has never been hacked. But what if these private keys were accessible at a third-party source.

Security expert & programmer has unveiled a new tool Shhgit, which scans for sensitive information like secret keys for third-party services across open-source code repositories like GitHub, GitLab and BitBucket. Finding potentially harmful information across these platforms is nothing new, as we saw in the case of Capital One hack. The personal data records of 106 million customers could have easily fallen into the wrong hands.

Image Credit: https://darkport.co.uk/blog/ahh-shhgit!/

According to Price, tons of tools like gitrob and truggleHog are available, which can be used to scan for sensitive & personal information accidentally committed to GitHub, but since this kind of information is usually cleaned up within 24 hours, these tools don’t prove too effective in real life.

This is where Shhgit comes in handy — inspired by gitrob, it scans all the code in repositories like GitHub in real-time to pull out any accidentally released sensitive information before some nefarious player gains access to it. The programmer claims that Shhgit was able to verify secrets across any code within 7 minutes of being committed.

GitHub also uses its own set of tools, scanning for secrets through their token scanning project. The objective is the same, to identify secret tokens in real-time and notify the company of the vulnerability to prevent any abuse. In the real-time comparison testing of token scanning with Shhgit, the latter was found to scan the code much quicker than the former.

On the other hand, companies themselves can do their due diligence to prevent uploading secrets in the first place. Amazon AWS labs use a tool git-secrets to achieve this. If for some reason, it bypasses the tool, GitHub’s token scanning tool should be able to capture the release of any sensitive information & notify Amazon to revoke the access.

The best practices for companies include proper training on secure coding standards, employing encryption techniques, using automated tools to prevent committing secrets & asking the right questions from third-party developers to cover all the bases.


Stay informed with the content that matters — Join my mailing list

Technicity

Empowering you with Technical, Scientific & Financial knowledge

Faisal Khan

Written by

Content Specialist in Cryptocurrencies | Blockchain | Financial Markets | Technology | Future | Science | Space

Technicity

Empowering you with Technical, Scientific & Financial knowledge

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade