White-Hat Hacker Uncovers $25k Worth of Secrets in GitHub’s “Oops Commits” and Open-Sources New Tool to Detect Them

Sharon Brizinov, a white-hat hacker, has unveiled a method to scan GitHub for "oops commits"—force pushes that hide accidentally committed secrets like credentials and API keys. Brizinov's approach leverages the GitHub Archive project and the GitHub Event API to identify and extract these hidden commits, which GitHub retains even after they are force-pushed away. This discovery has significant implications for security, as force pushing is often thought to remove sensitive information, but in reality, it can leave a trail that persists indefinitely. Background Brizinov typically focuses on low-level vulnerabilities in OT/IoT devices but occasionally explores bug bounties. His previous blog post, "How I Made 64k From Deleted Files," detailed how he used TruffleHog to uncover high-value secrets in public GitHub repositories. This time, he expanded his research to identify and access all deleted commits at scale, working in collaboration with Truffle Security's Research CFP program. Understanding Force Pushes Force pushing involves resetting the repository to a previous state and then pushing those changes, effectively removing the latest commit from the visible history. However, GitHub stores these commits in reflogs and archives, making them accessible if you know the commit hash. Even partial hashes (the first four hex-digits) are sufficient due to the small number of possible combinations (16^4 = 65,536). GitHub Event API and GH Archive The GitHub Event API provides real-time information about various activities, including push events. A push event with zero commits indicates a force push, where the branch's head was moved without adding new commits. To access historical data, Brizinov utilized GH Archive, an open-source project that systematically archives GitHub events. By downloading and analyzing these archived events, Brizinov and the Truffle Security team identified thousands of deleted commits containing active secrets. Building the Tool Truffle Security and Brizinov have open-sourced a new tool, the Force Push Scanner, to help organizations and individual users detect and remediate secret leaks from these hidden commits. The tool uses the GH Archive dataset, which is also available on Google BigQuery, to search for zero-commit push events, fetch the "before" commit hash, and scan the commit content for secrets using TruffleHog. Hunting for Impactful Secrets After running the automations, Brizinov manually reviewed the findings to identify the most valuable secrets. He focused on commits by authors with corporate emails and used tools like TruffleHog Analyze to determine the scope and impact of each secret. Notably, he discovered GitHub Personal Access Tokens (PATs) and AWS credentials, which generated the highest bounties. Other frequent offenders included MongoDB credentials, often leaked by junior developers and students. Case Study: Preventing a Mass Supply-Chain Attack One of the most significant secrets Brizinov uncovered was a GitHub PAT with admin access to all Istio repositories. Istio is a popular open-source service mesh used by major tech companies like Google, IBM, and Red Hat. With admin access, Brizinov could have modified environment variables, altered pipelines, pushed malicious code, or even deleted the entire project, highlighting the potential for a severe supply-chain attack. Upon reporting the issue, the Istio team promptly revoked the token, averting a potential disaster. Summary Brizinov's project demonstrates that deleting a commit on GitHub does not equate to securing sensitive information. Even supposedly removed commits remain accessible, posing a significant security risk. Organizations must adopt practices to revoke and rotate secrets immediately upon detection of a leak. The Force Push Scanner tool, available as open-source, empowers teams to identify and address these hidden commits, helping to prevent vulnerabilities and potential breaches. Industry Insights The findings underscore the ongoing challenges in managing sensitive data in collaborative environments. As more projects embrace open source, the risk of accidental secret leaks increases. Tools like the Force Push Scanner are crucial for maintaining security hygiene. Truffle Security, known for its comprehensive security solutions for software development, has played a pivotal role in enabling this research and providing practical tools for developers. Company Profile Truffle Security is a leading provider of DevSecOps solutions, focusing on integrating security into the software development lifecycle. Their suite of tools, including TruffleHog, helps organizations detect and manage secrets, vulnerabilities, and compliance issues. With a growing reputation in the security community, Truffle Security continues to innovate and empower developers to build more secure software.