We’re a Little Too Open Source — Public Service Announcement

I searched for myself on Github … here’s the link

You can see all my contributions, things I’ve claimed copyright to, and then around page 15 you start seeing what looks like real customer data dumps and other interesting things. If you search for mailgun_password you can get a free account to spam people with (this happened to me last year, and I was surprised at the open rate … ).

You can find all kinds of secrets, such as access to Azure Storage, AWS, salts, databases, Slack tokens, GitHub tokens, etc. I’d like to think that they all get replaced in production … but they don’t. Not all the time. It’s not hard to write something to go find live ones.

I actually found a Microsoft Azure key that belonged to Microsoft (and told them about it before writing this). sluu99/codesearch built a really neat tool to go find people who had these strings and notify them via email. If you have a service that requires keys/secrets, go see if you can search for them easily and notify your users. It’s an investment that will pay dividends.

If you have opensource repositories, you should check any committed .env files, or other configuration files for live keys and tokens. This includes the history of the repository, since that is searchable as well. Consider those keys compromised if you find them and get new ones quickly.