Millions of lines of code are publicly published on GitHub every day. Most of this code is never reviewed by anyone other than the author. Sometimes, the author publishes old code without reviewing it, which could be something they wrote for personal use or during their job. These lines of code can occasionally contain passwords and secrets. When searching through a large amount of code, we will almost certainly find these secrets.

Cloud secrets, particularly Azure secrets, are usually accompanied by the tenant ID. Using some Azure magic, we can find any tenant ID by the tenant’s name without authenticating. The tool I created takes advantage of this and uses the GitHub API to search for that tenant ID and extract all associated secrets and credentials.
In this session I will go over the use of the tool as both an offensive tool and defensive one by tracking leaked secrets and credentials.