- A researcher found 17,000 secrets exposed in GitLab Cloud repositories
- Leaked credentials risk hijacking, cryptomining, and deeper infrastructure compromise
- Marshall automated scans and earned $9,000 in rewards; some projects are still exposed
A security researcher found thousands of secrets in public GitLab Cloud repositories, demonstrating how software developers inadvertently put their own projects at risk of cyberattacks.
GitLab Cloud is the hosted version of GitLab, a platform that developers use to store code, track issues, run CI/CD pipelines, and collaborate on software projects.
Recently, security researcher Luke Marshall scanned GitLab Cloud, Bitbucket, and Common Crawl for API keys, passwords, or tokens, and found quite a few. In GitLab Cloud there were 17,000 secrets exposed in public repositories, spread across 2,800 unique domains. On Bitbucket, it found more than 6,200 secrets in 2.6 million repositories, and on Common Crawl, 12,000 valid secrets.
Automating scanning
Hackers who find these credentials can hijack cloud accounts, steal data, deploy cryptominers, spoof services, or delve deeper into an organization’s infrastructure. Even a single leaked token can give attackers long-term access to internal systems, allowing them to modify code, exhaust resources, or launch further attacks without being detected.
While most of the secrets were relatively new (generated after 2018), some were decades old and still valid, which almost certainly means they were discovered by malicious actors and used in attacks. Most of the secrets were Google Cloud Platform (GCP) credentials and MongoDB keys. Other notable mentions include Telegram bot tokens, OpenAI keys, and GitLab keys.
Explaining the process, Marshall said he managed to automate most of it. It took him about 24 hours and just under $800 to finish it all. However, it was worth his time and money as he reportedly managed to collect around $9,000 in rewards for his efforts. You were also able to automate the notification process. Many of the notified developers secured their projects, but some remain exposed even now, he said.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
