GitLab scan finds 17,000 secrets in public repos, leading to $9000+ in bounties

https://trufflesecurity.com/blog/scanning-5-6-million-public-gitlab-repositories-for-secrets

30•adrianwaj•2mo ago

Comments

vatsachak•2mo ago

9000 in bounties for 17,000 secrets?

You could make as much in a month creating those vulnerabilities

3eb7988a1663•2mo ago

The post keeps saying "verified secrets" - how are they verified? Did the author attempt to login to each service? Or does verified just means that it looks like a valid token?

ctippett•2mo ago

Tools like TruffleHog[1] will attempt to verify any credentials it finds by making some sort of authenticated request.

[1] https://github.com/trufflesecurity/trufflehog#validation-

jsiepkes•2mo ago

> Each Lambda invocation executed a simple TruffleHog scan command with concurrency set to 1000. This setup allowed me to complete the scan of 5,600,000 repositories in just over 24 hours.

Gitlab must have been thrilled about a bot cloning 5.6 million repo's in 24 hours. That doesn't really sound responsible to me.

treyd•2mo ago

That's 64 clones per second. That's quite a lot but it seems like something that a forge operating at the scale of GitHub can handle, especially if they were --depth=1 (which might have missed some secrets if someone was lazy about clearing their git history).

nojs•2mo ago

Gitlab*

digi59404•2mo ago

Provided someone told GitLab Support. This was likely fine. GitLab can handle this much load. The platform as a whole has increased and improved over the years as new customers are added.

Think about this… every CI/CD Job runs a clone. That’s a lot..

47282847•2mo ago

If they don’t like, they will apply rate limiting? Assuming they were well behaved (user agent, IPs).

pcdevils•2mo ago

Assuming bog standard lambda they'd have to rate limit a whole Aws region lambda range which would risk affecting legit usage. Bit of an arse way to behave against a service

3eb7988a1663•2mo ago

I also thought the sleep(0.03) was cute. Some well deserved rest for the server to avoid hammering it.

iwontberude•2mo ago

Truffle Security treasury dollars: There are dozens of us! Dozens!

greatgib•2mo ago

"Google Cloud Platform (GCP) credentials were the most leaked secret type on GitLab repositories"

Not surprising, Google SDK are sucking so much in term of authentication. It's never something simple like an API key, always a shitty iam like opaque function based on an opaque sdk needing to be installed that in the end requires a huge json. And most of the time, it is a pain in the ass to provide the token "as-is" in a buffer but the sdk expects that you give a file path to it. So, I easily guess that a lot of lazy devs will just store the credential json file in their project and consider it a job done.

P2P crypto exchange development company

Vocal Guide – belt sing without killing yourself

Write for Your Readers Even If They Are Agents

Knowledge-Creating LLMs

Maple Mono: Smooth your coding flow

Sid Meier's System for Real-Time Music Composition and Synthesis

Show HN: Slop News – HN front page now, but it's all slop

Show HN: Empusa – Visual debugger to catch and resume AI agent retry loops

Show HN: Bitcoin wallet on NXP SE050 secure element, Tor-only open source

White House Explores Opening Antitrust Probe on Homebuilders

Show HN: MindDraft – AI task app with smart actions and auto expense tracking

How do you estimate AI app development costs accurately?

Going Through Snowden Documents, Part 5

Show HN: MCP Server for TradeStation

Canada unveils auto industry plan in latest pivot away from US

The essential Reinhold Niebuhr: selected essays and addresses

Rentahuman.ai Turns Humans into On-Demand Labor for AI Agents

StovexGlobal – Compliance Gaps to Note

Show HN: Afelyon – Turns Jira tickets into production-ready PRs (multi-repo)

Trump says America should move on from Epstein – it may not be that easy

Tiny Clippy – A native Office Assistant built in Rust and egui

LegalArgumentException: From Courtrooms to Clojure – Sen [video]

US moves to deport 5-year-old detained in Minnesota

If you lose your passport in Austria, head for McDonald's Golden Arches

Show HN: Mermaid Formatter – CLI and library to auto-format Mermaid diagrams

RFCs vs. READMEs: The Evolution of Protocols

Kanchipuram Saris and Thinking Machines

Chinese chemical supplier causes global baby formula recall

I've used AI to write 100% of my code for a year as an engineer

Looking for 4 Autistic Co-Founders for AI Startup (Equity-Based)