In a new study, Aqua Security, a leader in cloud-native security, has unveiled a significant vulnerability affecting Source Code Management (SCM) systems. The research highlights how poor coding practices and inherent behaviors of Git-based systems have led to long-term exposure of sensitive secrets, including credentials, API tokens, and passkeys, across various industries.
Secrets Exposed in Prominent Repositories
Aqua Security’s team, Aqua Nautilus, conducted an extensive scan of the top 100 organizations on GitHub, encompassing over 50,000 publicly accessible repositories. The findings were alarming: active secrets from prominent enterprises and open-source projects, such as Cisco and Mozilla, were discovered, exposing sensitive data and software to potential threats. The implications of such exposures are severe, ranging from financial losses to reputational damage and legal repercussions.
The Persistence of “Phantom Secrets”
Aqua Nautilus coined the term “phantom secrets” to describe how sensitive information persists in Git-based SCM systems, even after being deleted or updated. This phenomenon is a result of the way these systems save code commits, making it possible for a one-time developer error to become a long-term vulnerability.
“Our findings are truly alarming, and it is crucial that everyone involved in software development grasps the seriousness of this issue,” said Yakir Kadkoda, Aqua Nautilus Lead Security Researcher. “For years, we’ve been educating developers not to hard-code secrets into their code. Now, it turns out that even doing this just once permanently exposes that secret – even when they thought it was deleted or overwritten. The impact of a sensitive data leak can lead to unauthorised access, compromised security controls and significant financial or reputational damage. This would be devastating.”
Real-World Implications
Among the secrets uncovered, Aqua Nautilus found API tokens from Cisco Meraki and the Mozilla project. Cisco confirmed the exposure, noting that privileged Meraki API tokens used by some Fortune 500 companies could have allowed attackers access to network devices, camera footage, and more. Similarly, Mozilla acknowledged the exposure of critical API tokens, which could have compromised many security vulnerabilities in Firefox and Tor and provided access to confidential information.
In another instance, an Azure service principal token belonging to a major healthcare organisation was found exposed in a Git commit. This high-privilege token could have enabled attackers to perform a supply chain attack, impacting the organisation and its customers. In all cases, the exposed secrets were promptly revoked to mitigate potential damage.
The Need for Improved Practices
The persistence of phantom secrets underscores the necessity for improved coding practices. Developers often rely on secrets scanning tools to prevent sensitive information from being pushed into production. However, these tools frequently miss secrets stored in the underlying Git-based system, which remain accessible even after being overwritten or deleted.
“The findings once again reinforce the best practice that secrets should never be put into code, not even for testing purposes, and security teams must be able to monitor this,” says Amir Jerbi, CTO and co-founder of Aqua Security. “The software supply chain is optimized for speed and convenience, but this cannot come at the expense of secure engineering practices.”
Addressing Overconfidence in Security Postures
Katie Norton, Research Manager for DevSecOps & Software Supply Chain Security at IDC, supported Aqua Nautilus’ findings, noting that many organisations exhibit overconfidence in their ability to secure application secrets. IDC research indicates that while organizations believe they are protected, the adoption of secrets management solutions remains low among DevSecOps tools.
Looking Ahead
In response to these findings, Aqua Security is enhancing its Software Supply Chain Security module, available in August. This upgrade will enable Aqua customers to prevent developers from committing code with embedded secrets and scan for phantom secrets within their SCM file systems.
Aqua Security’s research serves as a stark reminder of the critical need for secure coding practices and vigilant monitoring to protect sensitive information in today’s fast-paced development environments.