Security expert and programmer Paul Price recently launched Shhgit. The new web app scans GitHub for sensitive data, like passwords and crypto keys.
According to Price, Shhgit will scan public code repositories like GitHub for secrets. Some sensitive information sometimes become available to bad actors and could potentially result in massive data breaches.
For Dangerous Data and Files
Shhgit is an open-source app that scans a code repository for dangerous data and files. It can assist in finding information that have been accidentally developed in real time. Uncovering the data will help give programmers the time needed to remove any sensitive info before hackers find and use it for their own nefarious purposes.
The web app is upfront about the secrets it uncovers. It provides a front-end that showcases the information as it appears on GitHub. While it means hackers watching it can easily spot potential areas to exploit, it also pushes developers to be more aware of safe coding since they know public repositories are not secure.
Shhgit doesn’t just search for dangerous data though. It can also be programmed to look for signatures that the user is interested in, like wallet addresses for Ethereum.
Price, who is also known by the moniker Darkport, acknowledged that it is not unusual to find secrets that have the potential to be devastating on GitHub. Novice coders might inadvertently leave information regarding their passwords or private keys inside a repository. Hackers could easily access the data then.
Furthermore, there are dozens of open-source tools, like truggleHog and gitrob, that can search through history to uncover secret tokens from particular users, organizations, or repositories. And these tools are free and readily available to anyone.
Unwittingly Expose Secrets
The security specialist also explained that software developers sometimes unwittingly expose secrets through code repositories. However, they should take steps to ensure personal data doesn’t end up in a code base. The config files should at least be encrypted using an environment-based key.
While searching for private data in public repositories for codes have been around since GitHub was launched, recent breaches have emphasized the dangers of shoddy security. It has also shown how it can lead to huge fines and damaged reputations. A prime example would be the hack on Capital One. The attack left the personal information of more than 100 million users vulnerable to hackers.
Shhgit can be downloaded for free. Price is reportedly also looking for hosting sponsors. The traffic for his new web app is understandably high since there are always people who live to uncover the secrets of others.