- Researcher Luke Marshall found 17,000 exposed secrets in GitLab Cloud repositories
- Leaked credentials risk hijacks, cryptomining, and deeper infrastructure compromise
- Marshall automated scans, earned $9,000 in bounties; some projects remain exposed
A security researcher has found thousands of secrets in public GitLab Cloud repositories, demonstrating how software developers are inadvertently putting their own projects at risk of cyberattacks.
GitLab Cloud is the hosted version of GitLab, a platform developers use to store code, track issues, run CI/CD pipelines, and collaborate on software projects.
Luke Marshall has revealed how he scanned GitLab Cloud, Bitbucket, and Common Crawl, for things like API keys, passwords, or tokens - and unfortunately uncovered quite a lot.
Automating the scan
On GitLab Cloud there were 17,000 secrets exposed in public repositories, spread across 2,800 unique domains. On Bitbucket, he found more than 6,200 secrets in 2.6 million repositories, and on Common Crawl - 12,000 valid secrets.
Hackers who find these credentials can hijack cloud storage accounts, steal data, deploy cryptominers, impersonate services, or pivot deeper into an organization’s infrastructure. Even a single leaked token can give attackers long-term access to internal systems, letting them modify code, drain resources, or launch further attacks without being detected.
While most of the secrets were relatively new (generated after 2018), there were some decades old and still valid, which almost certainly means they were discovered by malicious actors and used in attacks. Most of the secrets were credentials for Google Cloud Platform (GCP), and MongoDB keys. Other notable mentions include Telegram bot tokens, OpenAI keys, and GitLab keys.
Explaining the process, Marshall said he managed to automate most of it. It took him approximately 24 hours and just under $800 to get it all done. It was worth his while, and his money, though, since he allegedly managed to pick up around $9,000 in bounties for his efforts. He was able to automate the notification process, as well. Many of the notified developers secured their projects, but some remain exposed even now, he said.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
