shhhh! how to find passwords on Github

2020-11-16 2 min read fud0

“Find secrets right from your browser”. This is one of the sentences that appears clearly in the project Github page shhgit.

The reason is obvious, by accessing the live version of the project on www.shhgit.com it is possible to see password, Google Oauth Key, config file WordPress, NPM and much more scrolling in real time.

In fact, it is possible to filter and view a whole series of sensitive information in the form of data that are committed on GitHub, Gists, GitLab o BitBucket for example.

Here below is a screenshot of what is the main page.

shhgit - Main page

The project was created and made available by the author Paul Price a little over a year ago. The main intention was focusing attention on the security problem coming from publishing sensitive information in a “careless and superficial” way. Sometimes only for testing purposes, which can be very interesting in the hands of bug hunters, security researchers but also malicious ones.

The ability to locale private/secret information in GIT repositories, especially within the history and commits, it is not a “new” technique. Tools like gitrob and truggleHog are good examples of this.

The same Github in trying to mitigate this problem and avoid possible leaks, has set up a project called “secret scanning” to proactively identify, by scanning the repositories, secret keys or tokens. Therefore, all that stuff belonging to various service providers such as AWS, Azure and Google Cloud, to name probably the most famous ones.

shhgit is definitely a very interesting tool to add to your arsenal of OSINT/bug bounting tools. The ability to avoid the web interface and relying instead on the classic “command line” option is great plus, allowing also to possibly automate scripts.

Try to leave the browser tab open for a few minutes on the project site, you will re-evaluate the importance of using build parameters in your Jenkins jobs. Or maybe it will lead to the adoption of more complex solutions such as plug-ins for managing securely credentials within CI/CD toolsets.