Secrets exposed by thousands of leading websites

SecurityWeek reports that exposed Git directories containing code commits, file paths, source codes, and other secrets were observed across 4,500 websites in the Alexa Top 1 Million Websites list. Most of the credentials leaked by the websites were AWS and GitHub keys, with prevalent GitHub token exposure attributed to Git config file storage in the remote repository cloning process, a Truffle Security report showed. Further examination revealed admin-level privileges in 67% of leaked GitHub credentials, while all were found to have repo permissions, which could be exploited to facilitate arbitrary actions, including malware deployment. Exposure of private RSA keys corresponding to a website's TLS certificate was also identified, which could be leveraged by threat actors in man-in-the-middle attacks. "We only reported verified live secrets, meaning we have extremely high confidence the secrets can be used by an attacker. There are many additional secret types that require users to verify them with an on-premise application/server," said Truffle Security.