New Web App Scans GitHub For Secrets Like Crypto Keys And Passwords

Published at: Oct. 30, 2019

A new web app, called “Shhgit”, will scan the web-based GitHub code repository and search for sensitive secrets, such as private crypto keys.

Scanning for private crypto keys and passwords

On Oct. 17, programmer and security expert Paul Price introduced his new tool, Shhgit. Shhgit scans for secrets across public code repositories that sometimes end up in the hands of bad actors and ultimately have the potential to cause significant data breaches.

Price said that finding these potentially harmful secrets across GitHub is nothing new. According to the programmer, there are tons of open-source tools available, such as gitrob and truggleHog, which all dig into “commit history to find secret tokens from specific repositories, users or organisations.”

Price added that software developers, who sometimes unwillingly leak secrets across public code repositories, should ensure secrets don't end up in their code base in the first place. At a minimum, Price said, “config files should be encrypted with a environment-based key.”

Although scanning for secrets in public code repositories has existed since the launch of GitHub, some recent data breaches, such as the Capital One hack that left the personal data of over 100 million individuals exposed, show severe implications of faulty security that can lead to reputational damage and huge fines. 

Price states that his tool can help in finding any secrets accidentally committed in real time, which should give developers the time to delete any sensitive information before hackers can have a field day with anybody’s private information.

Bitcoin has never been hacked

In July, Paige Thompson allegedly stole the confidential data for around 106 million Capital One customers' accounts and credit card applications. The hacker allegedly gained access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, as well as data pertaining to customers’ credit scores, credit limits and balances.

Tags
Blockchain
Hacks
Private Keys
Related Posts
Hacker makes off with $5.7M after ransacking social token platform
Social token platform Roll suffered a hot wallet breach, resulting in hackers draining at least 3,000 ETH worth $5.7 million on March 15. At roughly 8am UTC, digital asset management platform MyCrypto reported that a hacker may have compromised the private keys for Roll’s hot wallet, allowing them to transfer funds from users’ accounts at will. After approximately 12 hours, Roll responded to the attack, announcing the hacker had stolen and liquidated a large number of tokens, and that withdrawals had been suspended across the platform: “The attacker has sold all the tokens. There is no further user action suggested.” …
Blockchain / March 16, 2021
Velodrome recovers $350K stolen funds from team member Gabagool
Velodrome Finance, a trading and liquidity marketplace, announced the recovery of $350,000 stolen on Aug. 4. However, the occasion turned bittersweet when internal investigations pointed out the involvement of a prominent team member, who goes by the pseudo name Gabagool. On Aug. 4, one of Velodrome’s high-worth wallets — dedicated for operating funds such as salaries — was drained off $350,000 before it could be transferred to the company’s treasury multisig wallet. A subsequent internal investigation revealed the attacker’s identification, which allowed the company to recover the entire loot. Velodrome’s official statement revealed: “Much to our disappointment, we learned the …
Blockchain / Aug. 14, 2022
What is a seed phrase and why is it important?
How to keep your seed phrase safe A crypto seed phrase in the wrong hands can do damage, so it is advisable to always ensure it is safe. The following are some tips for ensuring your seed phrase is secure. Never share your seed with anyone else: It’s extremely important that you never reveal your recovery phrase to anyone. Why? Because if someone else finds out your recovery phrase, they will be able to access — and therefore control — your crypto funds. Make a note of it on paper and keep it in a secure location: This is the …
Blockchain / Aug. 27, 2022
Crypto on-chain crime drama sees the good guys finally win
The stories about people getting their private keys hacked or stolen are nothing new, and users have reportedly lost their life savings because of these thefts. However, in quite an anti-climax scene, a crypto user managed to save their crypto holdings despite losing the private keys. Harpie, an on-chain security firm, revealed an instance of on-chain crime drama where the good guys eventually won. One of the users in their discord group reportedly raised concerns about the suspected theft of their private keys. When the firm looked into the said customer’s wallet, someone was indeed trying to transfer funds from …
Blockchain / Dec. 21, 2022
MicroStrategy's bottom line gets beefier on Bitcoin moves: Bad crypto news of the week
It’s been another strong week for Bitcoin. The dollar price is up about 2.5 percent over the week, although that’s still something of a decline from its recent high above $13,400. At one point, Bitcoin fell 4 percent in 24 hours. But bulls remain optimistic and see the price advancing towards $20,000, possibly as early as March. That future price movement will depend on a number of factors, including whether banks follow Paypal into cryptocurrency acceptance; the size of the stimulus expected to counter the new coronavirus outbreak; and the pattern of the hash rate, among other factors. One point …
Blockchain / Oct. 31, 2020