Researchers examined text strings of 15 different API token formats as well as four cryptography key formats. These token formats came from 15 separate services provided by 11 companies. Popular companies like Google, Amazon, and Twitter were found using these formats. The GitHub files were scanned from October 31st, 2017 until April 20th, 2018. It was found that the total of the API’s and cryptographic keys was 575,456 and they were spread out of 100,000 repositories. A single owner account is responsible for 93 percent of the files. More than 7,000 RSA keys were found within OpenVPN files. The majority of the users did not use passwords authentication; instead they relied on these RSA keys. Attackers could possibly use these keys to gain access to private networks. “We have discussed the results with GitHub. They initiated an internal project to detect and notify developers about leaked secrets right around the time we were wrapping up our study. This project was publicly acknowledged in October 2018,” said researchers.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is