GitHub secrets: Deleted files still pose risks

Posted on by

“I built an automation that cloned and scanned tens of thousands of public GitHub repos for leaked secrets,” Brizinov said in a blog post. “For each repository, I restored deleted files, found dangling blobs, and unpacked .pack files to search in them for exposed (secrets).”

Brizinov made $64,000 in bug bounty winnings for finding dozens of repositories belonging to Fortune 500 companies leaking over hundreds of secrets this way.

Git history retains files even after deletion

According to the discovery, Git retains a complete history of changes, meaning that deleted files and their contents can still be accessed unless properly purged.  “Developers often forget that Git history retains everything, even after files are removed from the working directory,” Brizinov noted.