Understanding the Risks and Consequences of Leaked Secrets

Published in

Version 1

3 min readOct 17, 2023

Uncovering the Hidden Dangers in Code Repositories

In today’s digital landscape, it is crucial to consider the consequences of compromised data. Potential risks include loss of business, decreased consumer confidence, reputational damage, and the possibility of regulatory fines or contractual penalties.

Fortunately, the IT industry has made significant progress in integrating security into standard practices. However, it is essential to recognise that we have not yet achieved full maturity in our security posture. People make mistakes, and the consequences can be costly.

In this blog post, we will explore an often-overlooked aspect of security: the potential for secrets to be leaked through code in various Version Control Systems (VCS), such as Git, Mercurial, or Subversion.

The Risks of Leaked Secrets in Code

Leaked secrets can compromise data in the rapidly expanding world of public cloud platforms, and can leave your provisioned resources at risk. Potential threats include denial of service, malicious cost inflation, and resource hijacking among others.

Defining a Leak

In the context of code, leaks usually involve secrets, which are pieces of information we would prefer not to share. Examples include API keys, passwords, connection strings, and certificates. Leaked secrets can easily grant unauthorised access to sensitive systems and data.

The Scale of the Problem

Despite the millions of repositories online, the risk is still significant. Researchers at Comparitech set up a honeypot to determine how quickly leaked secrets would be discovered and exploited. Their findings were alarming: it took less than a minute for the leaked secrets to be obtained which led to attempts to compromise their system.

…it took less than a minute.
It takes hackers 1 minute to find and abuse credentials exposed on GitHub — Comparitech

So, if you leak a secret, you should always treat it as compromised!

The False Security of Private Repositories

Do not underestimate the risks associated with leaking secrets in private repositories. Internal threats are often just as dangerous as external ones. Remember that private repositories may become public in the future. Consistently following best practices can lead to improved overall security standards.

Removing Secrets: What’s Next?

While it is possible to remove secrets from code, it is essential to assess whether credentials should be revoked or keys rotated, depending on the nature of the leak and the affected systems. Moreover, if using a Version Control System (VCS), the leaks may still be present in the commit history.

The Serious Consequences of Leaks

Revoking or rotating secrets can potentially disrupt to live services. Although it may be tempting to delay remedial action, your system or service remains vulnerable in the meantime. To prevent and manage leaks in your code, regardless of the VCS in use, consider implementing security best practices, regularly auditing your repositories, using secret detection tools to detect and address potential leaks, and routine employee training.

Conclusion

Safeguarding your repositories and maintaining robust security practices are essential for protecting your sensitive data and systems. By understanding the risks and consequences of leaked secrets, you can take proactive steps to ensure the security of your code repositories and prevent costly breaches.

About the author

Mark Patton is a Cloud Platform Tech Principal here at Version 1.