The objective of Paul Price’s new web app, Shhgit, is to scan for secret crypto passwords in order to reduce the chances of losing your private keys. New Web App to Scan for Private Keys and Passwords.
The leakage of secrets through public code repositories is not a new threat. It has existed since the launch of GitHub and other sites from over ten years ago.
At times software developers can accidentally leak sensitive information across code hosting platforms such as GitHub, GitLab, and BitBucket, including private keys for third party services.
Such keys may end up in the hands of criminals, as well as the data they protect, which may eventually lead to significant data breaches, similar to breaches like Capital One data, Scotiabank, and the Uber 2016 data breach.
According to the programmer, there are various open-source tools available, such as gitrob and truggleHog which focus on digging in to “commit history to find secret tokens from specific repositories, users or organisations.”
Price also stated that through their token scanning campaign, GitHub itself is actively searching for secrets. Their objective is to “identify secret tokens within committed code in real-time and notify the provider who will automatically revoke the token to prevent any abuse.”
Inspired by Gitrob, the Shhgit tool monitors real-time flow, and any unintentionally revealed secrets will be removed before hackers identify them.