The attackers guide to exploiting secrets in the universe

Presented at BSidesLV 2023, Aug. 9, 2023, 5 p.m. (Unknown duration).

Secrets like API keys and other credentials continue to be a persistent vulnerability. This presentation sheds light on the methods used to discover and exploit such secrets in various environments, including public and private git repositories, containers, and compiled mobile applications. Recent research has shown that git repositories are a treasure trove of secrets, with 10 million secrets discovered in public repositories in 2022 on GitHub alone. Private repositories are also an issue as they regularly contain large numbers of secrets in their history. The presentation's first segment delves into discovering and exploiting secrets in both public and private repositories through various methods such as abusing GitHub's public API, discovering exposed .git directories on networks, and exploiting misconfigurations in git servers. The second segment of the presentation discusses how attackers can discover secrets inside compiled applications. We review how almost 50% of mobile applications hosted on the Google Play Store and nearly 5% of docker images hosted on DockerHub.com contain at least one plain text secret. This presentation offers valuable insights and information on how to identify and address exposed secrets, one of the most persistent vulnerabilities in application security.

Presenters:

  • Mackenzie Jackson
    Mackenzie is a developer advocate with a passion for DevOps and code security. As the co-founder and former CTO of a health tech startup, he learnt first-hand how critical it is to build secure applications with robust developer operations. Today as a Developer Advocate at GitGuardian, Mackenzie is able to share his passion for code security with developers and works closely with research teams to show how malicious actors discover and exploit vulnerabilities in code.

Links:

Similar Presentations: