For years, developers have been cautioned against hard-coding secrets into their code. Yet, new research reveals that even a single instance can permanently expose these secrets, and conventional scanning tools often miss them. Our findings show that nearly 18% of secrets remain undetected, leaving critical credentials for cloud environments, internal infrastructures, and telemetry platforms vulnerable. The oversight stems from various Git-based processes and behaviors of Source Code Management (SCM) platforms, which are not fully understood by developers and AppSec professionals.
The research uncovered severe security breaches, including access to the cloud environments of major organizations and internal tools like Mozilla’s FuzzManager and telemetry platforms. These breaches underscore the limitations of current scanning methods and highlight the necessity for adopting advanced strategies to discover hidden secrets. By doing so, we aim to prevent potential attacks and safeguard sensitive data.