Skip to content
Symphony's Lucky Spin — Exploring the Future of Flight — stock-market — **Explore Your Next Career Move!**

Open-source projects leak thousands of sensitive credentials in 2023

One misclick can expose an entire company. Researchers found thousands of private credentials—from AWS keys to Telegram tokens—leaked in public repositories last year. Now, experts warn the problem is getting worse.

 and  Administrator
2 min read
The image shows a reticulated python coiled up on the ground, its scales glistening in the light....
The image shows a reticulated python coiled up on the ground, its scales glistening in the light. Its head is slightly raised, its tongue flicking out as it surveys its surroundings. Its eyes are alert and its tail is wrapped around its body.

Open-source projects leak thousands of sensitive credentials in 2023

Notably, 2922 projects contained at least one unique secret. Among the leaked secrets were various credentials, including AWS Keys, Redis credentials, Google API keys and various database credentials.

The research, published on GitGuardian by Python developer Tom Forbes, underscores the potential consequences of such leaks, emphasizing that valid credentials are a primary vector for cyber-attacks.

The Python Package Index, home to over 450,000 projects, plays a crucial role in the software supply chain, constituting an estimated 90% of code run in production. Forbes said the research underscores the need for enhanced security measures due to the accidental inclusion of secrets in open source packages. This problem has reportedly seen a steady increase over time.

The blog post also revealed trends in the types of secrets leaked, with notable increases in valid Telegram bot tokens, Google API key leaks and a surge in leaked database credentials in 2022. The data suggests that leaked credentials have become a leading cause of breaches in 2023.

Furthermore, the study shed light on the exposure methods, indicating that most secrets are leaked accidentally.

"Forbes wrote: "Just as it is all too easy to make a private repo a public repo, [it] just takes a few wrong keystrokes to push a package intended for internal use into public availability."

"In the course of outreach for this project, we discovered at least 15 incidents where the publisher was unaware they had made their project public."

Forbes thus highlighted incidents where large companies inadvertently made their projects public, emphasizing the need for heightened awareness and preventive measures.

"Forbes said: "Exposing secrets in open-source packages carries significant risks for developers and users alike. Attackers can exploit this information to gain unauthorized access, impersonate package maintainers or manipulate users through social engineering tactics," the blog post reads.

Read more about these threats: VMConnect: Python PyPI Threat Imitates Popular Modules

To tackle these issues, the researcher recommended strategies such as avoiding unencrypted credentials, implementing automated secrets scanning and leveraging cloud secrets managers.

Read also:

Related

Latest