More than 100,000 GitHub repos exposed API tokens and cryptographic keys

• A research study revealed that many GitHub repos were leaking sensitive information on a daily basis.
• The research team scanned over a billion GitHub files for a period of six months last year.

A research study by academics of North Carolina State University (NCSU) has shown that certain GitHub repos were leaking API tokens and cryptographic keys.

The study analyzed more than a billion GitHub files which were spread across millions of repositories. The three-member team in the study specifically looked into text strings containing API tokens or cryptographic keys present in different formats.

The big picture

• The researchers analyzed text strings across 15 different API token formats and four cryptography key formats.
• The API token formats considered came from 15 services belonging to 11 companies. Google, Amazon, and Twitter, were some of the popular companies that used these formats.
• The NCSU team scanned GitHub files between October 31, 2017, and April 20, 2018. They used the GitHub Search API for the study as well as investigated the BigQuery database.
• A total of 575,456 API and cryptographic keys were found spread across more than a hundred thousand repos. 93 percent of these files came from a single-owner account.
• The researchers mentioned that there were minor overlaps between scanned GitHub files and those found from BigQuery.

RSA keys found

On top of finding API tokens and cryptography keys, the NCSU team also found over 7000 RSA keys inside OpenVPN config files.

Their analysis showed that most users turned off password authentication and relied on these RSA keys for authorization. This can lead to the possibility of attackers using these keys to infiltrate thousands of private networks.

Resolution in the works

Brad Reaves, Assistant Professor in Department of Computer Science at NCSU, told ZDNet that the study’s results were shared with the GitHub corporate team.

“We have discussed the results with GitHub. They initiated an internal project to detect and notify developers about leaked secrets right around the time we were wrapping up our study. This project was publicly acknowledged in October 2018,” Reaves said.