DeepSec 2023 Talk: The Attackers Guide to Exploiting Secrets in the Universe – Mackenzie Jackson
Exposed secrets like API keys and other credentials are the crown jewels of organizations but continue to be a persistent vulnerability within security. Most security breaches leverage secrets during the attack path. This presentation sheds light on the various methods used by attackers to discover and exploit these secrets in different technologies. This guide will include how to
- Abuse public and private code repositories
- Decompile containers
- Decompile mobile applications from the App and Play Stores.
We combine novel research, real-life attack paths, and live demos to prove exactly the steps attackers take, revealing their play-book.
Recent research has shown that git repositories are treasure troves full of secrets. A year-long study showed that 10 million secrets were pushed into public repositories in 2022 alone. We will show exactly how adversaries abuse the public GitHub API to exploit secrets. First by leaking secrets in code publicly and watching malicious actors abuse them, and second by walking through breaches like T-Connect where public secrets were discovered. Public source code, however, is only the tip of the iceberg as private code repositories have proven to be much more valuable targets. We will show how to gain unauthorized access to private git repositories and discover secrets deep in their history. This will include supply chain poisoning, developer phishing, and configuration exploitation among other techniques, and explore breaches like Uber to show the steps attackers took. Finally, this talk will dive into decompiling containers, packages, and mobile applications to be able to uncover the huge amount of secrets buried within. Not only will we review famous examples like the Codecov breach, but we will use research and live demos to show how shockingly simple it is to find secrets in these applications.
Knowing how attackers operate is essential in building effective defenses, understanding the attacker’s playbook allows you to understand their next moves. This presentation is perfect for anyone wanting to know how to prevent attackers from getting hold of your crown jewels.
We asked Mackenzie a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- More than 10 million secrets were leaked on public GitHub repositories last year
- 8% of Docker images hosted on DockerHub contain a plain text secret
- Finding .git directories is a simple way to get access to private source code
- Over 50% of mobile applications contain at least 1 plain-text secret
- Source code obfuscation does not make your applications more secure
How did you come up with it? Was there something like an initial
spark that set your mind on creating this talk?
Each year GitGuardian does an extensive study to see how many secrets are leaked on GitHub, this year we found 10 million. The research led me to dive deeper into the problem and find out how many secrets are being leaked across different technologies like mobile applications and containers. After breaking down many recent security breaches, I recreated the steps attackers took to discover exactly how easy it was to find leaked credentials. Spoiler, the problem turned out to be much bigger than I first realized.
Why do you think this is an important topic?
When attackers break into systems they almost always want to persist and expand their access. Secrets are a great way for them to do this. When you analyse recent breaches, in almost all of them, the attackers leveraged exposed credentials in some way, either as initial access or to elevate their privileges and access. Understanding how attackers do this is important to understand how to stop them.
Is there something you want everybody to know – some good advice for
our readers maybe?
Source code is a known treasure trove of credentials and secrets, but it is also very leaky. Where you find source code you will find secrets.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
We have the technology to move away from using traditional secrets in development. Slowly but surely, we can remove this as a vulnerability if we collectively work towards other methods of authentication such as dynamic secrets and zero trust.
Mackenzie is a developer advocate with a passion for DevOps and code security. As the co-founder and former CTO of a health tech startup, he learned first-hand how critical it is to build secure applications with robust developer operations. Today as a Developer Advocate at GitGuardian, Mackenzie is able to share his passion for code security with developers and works closely with research teams to show how malicious actors discover and exploit vulnerabilities in code.