Millions of lines of code are publicly published on GitHub every day. This vast repository of code includes projects from developers worldwide, ranging from personal experiments to professional work. Most of this code is never reviewed by anyone other than the author. Sometimes, the author publishes old code without reviewing it, which could be something they wrote for personal use or during their job. These lines of code can occasionally contain sensitive information, such as passwords and secrets. When searching through a large amount of code, we will almost certainly find these secrets.
Cloud secrets are usually accompanied by the tenant ID. Using some Azure magic, we can find any tenant ID by the tenant’s name without authenticating. The tool I created takes advantage of this capability and uses the GitHub API to search for that tenant ID and extract all associated secrets and credentials. This process allows us to uncover potentially exposed secrets that could be exploited if not properly secured.
In this session, I will go over the use of the tool I created as both an offensive and defensive tool by tracking leaked secrets and credentials. On the offensive side, it can be used to identify credentials and potential points of entry to the targeted organization. On the defensive side, it helps organizations monitor and mitigate the risk of leaked credentials, ensuring their systems remain secure.