Aqua Security’s research team, Aqua Nautilus, recently published a report highlighting a significant security vulnerability in Git-based infrastructure, commonly used by Source Code Management (SCM) systems like GitHub, GitLab, and Bitbucket.
The report reveals that “phantom secrets” can persist in these systems, potentially exposing sensitive information to threat actors over extended periods.
Aqua Security, a cloud-native security provider, attributes this vulnerability to the way SCM systems save deleted or updated code commits. Even a one-time developer mistake can result in secrets being exposed long-term. By scanning the top 100 organizations on GitHub, including over 50,000 publicly accessible repositories, Aqua Nautilus discovered active secrets from entities such as Cisco and Mozilla. These exposed secrets could lead to financial losses, reputational damage, and legal consequences.
The research highlights how credentials, API tokens, and passkeys, collectively referred to as secrets, were exposed for years across various organizations.
Yakir Kadkoda, lead security researcher at Aqua Nautilus, emphasized the severity of the findings, urging the software development community to recognize the gravity of the issue. Kadkoda noted that even a single instance of hard-coding secrets can permanently expose them, posing risks of unauthorized access, compromised security controls, and substantial damage.
API token
Among the exposed secrets were API tokens for Cisco Meraki and the Mozilla project. According to Aqua Security, Cisco’s security team confirmed the discovery of privileged Meraki API tokens, which could grant attackers access to network devices, SNMP secrets, camera footage, and more, posing a significant threat to affected parties. Mozilla, based on Aqua Security’s report, acknowledged the leak of an API token for the Mozilla FuzzManager and another for sql.telemetry.mozilla.org, both deemed critical.
These tokens allowed access to security vulnerabilities and confidential information related to Mozilla products and business operations.
Katie Norton, research manager at IDC, noted that Aqua Nautilus’ findings align with IDC research, which indicates that organizations often overestimate their ability to secure application secrets. Despite high confidence levels, the adoption of secrets management solutions remains low among DevSecOps tools.
Secure coding best practices
One notable incident involved the exposure of an Azure service principal token belonging to a large healthcare company. This token had high privileges and could have enabled a supply chain attack, impacting the organization and its customers. In all cases, the exposed secrets were promptly revoked.
Despite secure coding best practices advising against hard-coding secrets, many developers continue this practice, relying on secrets scanning tools to prevent such secrets from reaching production. However, phantom secrets persist due to SCM processes that retain overwritten or deleted code. Most secrets scanners fail to detect these hidden secrets, missing nearly 18% of them.
Amir Jerbi, CTO and co-founder of Aqua Security, reinforced the necessity of not embedding secrets in code, even for testing purposes. He stressed the importance of monitoring and secure engineering practices, particularly as the software supply chain prioritizes speed and convenience.