14 DAY TRIAL // A new utility has been developed for companies to scour GitHub code repository for sensitive files belonging to them, in an effort to restore their privacy.
The search function of the free code repository is known to reveal confidential information that has been published by accident or because the user did not grasp the sensitive nature of the data.
Identifies files according to user-defined patterns
Since GitHub is often used by companies as a collaboration platform for its developers, sometimes private code is leaked inadvertently by employees.
Created by Michael Henriksen, who is part of the security team at SoundCloud, command-line tool GitRob allows restricting searches on GitHub to results pertinent to a certain organization.
It works by gathering all the public repositories of a given company, then indexing the files in the public repositories of the company’s employees.
“When the list of repositories has been compiled, it proceeds to gather all the filenames in each repository and runs them through a series of observers that will flag the files, if they match any patterns of known sensitive files,” Henriksen writes in a blog post.
He warns that the identification process may take a while to complete in the case of companies with a large number of public repositories.
GitRob integrates a Sinatra web server, which starts on the local machine in order to initiate a web application containing the results of the GitHub search.
Highly sensitive info found while testing
Henriksen says that during his testing of the utility he found important details leaked by employees of various companies.
He discovered information about internal network infrastructures, emails, passwords, usernames, API keys, hostnames, secret tokens, password databases that could be brute-forced, Amazon EC2 credentials and private keys, or SSH keys.
In one instance, he found that a developer open-sourced a WordPress website that included a database containing the password hash for his own account. Brute-forcing could again be used to uncover the secret string and try it on other online accounts.
The purposes GitRob can be used for range from helping penetration testers gather initial information for devising an attack method, to allowing organizations make sure that their sensitive files have not moved into the public domain.
