- A researcher found 17,000 exposed secrets in GitLab Cloud repositories
- Leaked credentials risk hijacking, cryptomining and deeper infrastructure compromise
- Marshall automated scans, earned $9,000 in bounties; some projects remain exposed
A security researcher found thousands of secrets in public GitLab Cloud repositories, demonstrating how software developers are inadvertently putting their own projects at risk of cyberattacks.
GitLab Cloud is the hosted version of GitLab, a platform developers use to store code, track issues, run CI/CD pipelines, and collaborate on software projects.
Recently, security researcher Luke Marshall scanned GitLab Cloud, Bitbucket and Common Crawl for things like API keys, passwords or tokens and found quite a few. On GitLab Cloud, there were 17,000 secrets exposed in public archives, spread over 2,800 unique domains. On Bitbucket, he found more than 6,200 secrets in 2.6 million repositories, and on Common Crawl – 12,000 valid secrets.
Automating the scan
Hackers who find these credentials can hijack cloud accounts, steal data, deploy cryptominers, impersonate services, or pivot deeper into an organization’s infrastructure. Even a single leaked token can give attackers long-term access to internal systems, allowing them to modify code, drain resources, or launch additional attacks without being detected.
While most of the secrets were relatively new (generated after 2018), some were decades old and still valid, which almost certainly means they were discovered by malicious actors and used in attacks. Most of the secrets were Google Cloud Platform (GCP) credentials and MongoDB keys. Other notable mentions include Telegram bot tokens, OpenAI keys, and GitLab keys.
Marshall explained the process and said he managed to automate most of it. It took him about 24 hours and just under $800 to get it all done. However, it was worth his time and his money as he reportedly managed to collect around $9,000 in bounties for his efforts. He was also able to automate the notification process. Many of the notified developers secured their projects, but some remain exposed even now, he said.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
