- Researcher found 17,000 secrets exposed in GitLab Cloud repositories
- Credential leaks risk hijacking, cryptomining, and further compromising infrastructure.
- Marshall automated scans yielded $9,000 in bounties; some projects remain exposed
A security researcher has discovered thousands of secrets in public GitLab Cloud repositories, demonstrating how software developers inadvertently expose their own projects to cyberattacks.
GitLab Cloud is the hosted version of GitLab, a platform that developers use to store code, track issues, run CI/CD pipelines, and collaborate on software projects.
Recently, security researcher Luke Marshall scanned GitLab Cloud, Bitbucket, and Common Crawl for things like API keys, passwords, or tokens, and found quite a few. On GitLab Cloud, 17,000 secrets were exposed in public repositories, spread across 2,800 unique domains. On Bitbucket, it found more than 6,200 secrets in 2.6 million repositories, and on Common Crawl – 12,000 valid secrets.
Analysis Automation
Hackers who find these credentials can hijack cloud accounts, steal data, deploy cryptominers, impersonate services, or penetrate deeper into an organization’s infrastructure. Even a single token leak can give attackers long-term access to internal systems, allowing them to modify code, drain resources, or launch other attacks without being detected.
Although most of the secrets were relatively new (generated after 2018), some were decades old and still valid, which almost certainly means they were discovered by malicious actors and used in attacks. Most of the secrets were credentials for Google Cloud Platform (GCP) and MongoDB keys. Other notable mentions include Telegram bot tokens, OpenAI keys, and GitLab keys.
Explaining the process, Marshall said he had managed to automate most of it. It took him about 24 hours and just under $800 to do everything. It was worth it, and his money, since he reportedly managed to collect about $9,000 in bonuses for his efforts. It was also able to automate the notification process. Many notified developers have secured their projects, but some still remain exposed, he said.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
