Using Twitter to notify developers who leaked their access tokens in GitHub: The Aftermath
Last week, we used Twitter Access Tokens exposed in GitHub to raise awareness regarding the consequences of forgetting secrets in public repositories, by using our @PinataHub_Bot.
Although some considered our campaign rather controversial, the response of affected Twitter users was overwhelmingly positive, with dozens of people expressing their appreciation. We are very glad we were able to make a positive impact on their Cybersecurity awareness !
All in all, around approximately 6.5K of the tokens we had discovered in our PinataHub dataset (70% of all valid Twitter tokens), were associated with apps that had write permission. Practically, beyond allowing read access, these tokens enabled anyone who used them to post Tweets, follow users, or update elements of associated user profiles. Thus, after notifying the affected users, we invalidated the tokens they have exposed, to protect their accounts from abuse by malicious parties.
Although, as noted in the context of GitHub Copilot GitHub itself considers all the exposed secrets as “already compromised” (read more here), let’s discuss the extent of the impact this could have if it was exploited by threat actors.
Main takeaways from our campaign:
1. Several big and verified accounts were affected.
Although the majority of the affected accounts, were (rather expectedly) bots, some very influential accounts got affected as well, including @BitMartExchange, @WesleySafadao, @AgidGov (Official account of the Agency for Digital Italy) and others. This indicates that the programmatic means used for maintaining such accounts (e.g. scripts to automate/schedule tweets, etc), comprise a novel attack vector that can be exploited with devastating consequences.
2. Where crypto is involved, things get funky.
Since several accounts of the crypto twitter were affected, including the official account of BitMart, one of the largest cryptocurrency exchanges, we observed an influx of retweets and follows by accounts within Twitter’s crypto ecosystem that actually were not affected by exposed access tokens.
This demonstrated how simple it actually is for malicious actors to perform large-scale crypto scams using compromised tokens. A very recent example of what could happen, is the scam that happened in Fractals’ Discord server, via an exposed webhook. Moreover, given the prevalence of crypto scams, it is highly likely that tokens and other exposed credentials in GitHub have already been used in the past for malicious purposes. The fact that crypto-related accounts were still re-sharing PinataHub_Bot’s tweet days after our campaign, is a clear indication that such abuse can keep flying under the radar for extended periods of time, and it is also difficult to contain.
3. We are not the only ones who have collected massive datasets of secrets from public GitHub repositories.
Some hours after we run our awareness campaign, we noticed something weird: The number of retweets was decreasing in a time-linear fashion, something that was very unlikely to happen without the intervention of a third-party. Of course, it makes sense that several of the affected users would remove the retweet of PinataHub_Bot’s post after being notified, but certainly not at an almost-constant rate.
The only explanation behind this, is that a “guardian angel” that somehow already had access to a large fraction of the source code containing the exposed tokens, as well as advanced means of secret scanning for detecting those tokens, decided to intervene and programmatically undo the retweets.
After noticing this, and to protect the exposed accounts from abuse, we immediately proceeded to invalidate all the tokens in our dataset using the relevant feature of Twitter’s API. Indeed, after this, the sharp drop of the retweet count stopped. Thus, there exists an unknown number of parties that collect exposed secrets and credentials from public GitHub, with all that that implies.
4. Public GitHub comprises a vast attack surface.
As we made clear in our previous post, we did not exploit any vulnerabilities. Users published themselves the source code containing the affected tokens, and opted to make it public for everyone to access.
Nonetheless, we received some criticism about not following a “responsible disclosure” process to notify Twitter/GitHub. This doesn’t really make much sense, though. The existence of leaked secrets in public GitHub repositories is a very well known issue, which even made Amazon to create a tool to prevent developers from sharing AWS secrets.
What we did was to demonstrate the scale of this problem, and how it could affect developers lacking cybersecurity awareness.
Of course, this is just the tip of the iceberg. As many developers are not accustomed with best practices for securing their DevOps lifecycle, they will keep leaking secrets and credentials unknowingly. Without an exceptionally effective secret scanning solution capable of detecting credentials and secrets of all kinds and notifying the affected developers accordingly, public GitHub repositories will continue to expose a vast attack surface, putting a great number of users and services at risk.
To tackle part of this ever-growing problem we are building GoldDigger, the most advanced secret detection solution ever conceived. Stat tuned for more !
Follow us on Twitter for updates and news.
