Lord777
Professional
- Messages
- 2,577
- Reaction score
- 1,563
- Points
- 113
Despite years of warnings and persistent recommendations from experts, many developers still can't avoid including sensitive data in their open source code.
The problem arises from immature coding practices, where developers embed encryption keys, security tokens, passwords, and other credentials directly into the source code to simplify development and make it easier for programs to access databases or cloud services. However, this approach makes software products vulnerable to external attacks.
So, back in 2013, one of the independent security researchers found that a regular Internet search reveals dozens of accounts with open credentials. One of these vulnerable accounts gave privileged access to repositories Chromium.org, where the source code of the open browser of the same name is stored.
And in 2015, Uber learned the hard way how disruptive this practice can be. One or more Ride service developers at that time embedded a unique security key in the project's source code, and then without a second thought published this code on the public GitHub page. When hackers discovered that the code contained a key, they copied it and used it to access Uber's internal database. The attackers then managed to steal a lot of confidential information belonging to 50 thousand Uber drivers.
This week, researchers from GitGuardian reported finding nearly 4,000 unique secrets in 450,000 projects submitted to PyPI, the official code repository for the Python programming language. These included Azure Active Directory API keys, GitHub OAuth credentials, Dropbox keys, SSH credentials, and many others. It is noted that the number of such leaks is only growing over time.
The study shows that leaks occur in various file types, including the main". py " files, README files, and test folders. GitGuardian specialists tested the leaks and found that 768 of them remain active, which further increases the risks.
For secure access to databases and cloud resources, various mechanisms now exist, such as ".env" files stored in private environments, outside of public code repositories, as well as tools such as AWS Secrets Manager, Google Cloud's Secret Manager, or Azure Key Vault. Developers can also use a variety of scanners to check the code for accidentally enabled credentials before publishing it.
GitGuardian's research is limited to PyPI, one of many open repositories, but there is no reason to believe that the problem is not widespread in other repositories as well.
The problem arises from immature coding practices, where developers embed encryption keys, security tokens, passwords, and other credentials directly into the source code to simplify development and make it easier for programs to access databases or cloud services. However, this approach makes software products vulnerable to external attacks.
So, back in 2013, one of the independent security researchers found that a regular Internet search reveals dozens of accounts with open credentials. One of these vulnerable accounts gave privileged access to repositories Chromium.org, where the source code of the open browser of the same name is stored.
And in 2015, Uber learned the hard way how disruptive this practice can be. One or more Ride service developers at that time embedded a unique security key in the project's source code, and then without a second thought published this code on the public GitHub page. When hackers discovered that the code contained a key, they copied it and used it to access Uber's internal database. The attackers then managed to steal a lot of confidential information belonging to 50 thousand Uber drivers.
This week, researchers from GitGuardian reported finding nearly 4,000 unique secrets in 450,000 projects submitted to PyPI, the official code repository for the Python programming language. These included Azure Active Directory API keys, GitHub OAuth credentials, Dropbox keys, SSH credentials, and many others. It is noted that the number of such leaks is only growing over time.
The study shows that leaks occur in various file types, including the main". py " files, README files, and test folders. GitGuardian specialists tested the leaks and found that 768 of them remain active, which further increases the risks.
For secure access to databases and cloud resources, various mechanisms now exist, such as ".env" files stored in private environments, outside of public code repositories, as well as tools such as AWS Secrets Manager, Google Cloud's Secret Manager, or Azure Key Vault. Developers can also use a variety of scanners to check the code for accidentally enabled credentials before publishing it.
GitGuardian's research is limited to PyPI, one of many open repositories, but there is no reason to believe that the problem is not widespread in other repositories as well.
