Michael Meli (North Carolina State University), Matthew R. McNiece (Cisco Systems and North Carolina State University), Bradley Reaves (North Carolina State University)

GitHub and similar platforms have made public collaborative development of software commonplace. However, a problem arises when this public code must manage authentication secrets, such as API keys or cryptographic secrets. These secrets must be kept private for security, yet common development practices like adding these secrets to code make accidental leakage frequent. In this paper, we present the first large-scale and longitudinal analysis of secret leakage on GitHub. We examine billions of files collected using two complementary approaches: a nearly six-month scan of real-time public GitHub commits and a public snapshot covering 13% of open-source repositories. We focus on private key files and 11 high-impact platforms with distinctive API key formats. This focus allows us to develop conservative detection techniques that we manually and automatically evaluate to ensure accurate results. We find that not only is secret leakage pervasive — affecting over 100,000 repositories— but that thousands of new, unique secrets are leaked every day. We also use our data to explore possible root causes of leakage and to evaluate potential mitigation strategies. This work shows that secret leakage on public repository platforms is rampant and far from a solved problem, placing developers and services at persistent risk of compromise and abuse.

View More Papers

NIC: Detecting Adversarial Samples with Neural Network Invariant Checking

Shiqing Ma (Purdue University), Yingqi Liu (Purdue University), Guanhong Tao (Purdue University), Wen-Chuan Lee (Purdue University), Xiangyu Zhang (Purdue University)

Read More

Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via...

A. Theodore Markettos (University of Cambridge), Colin Rothwell (University of Cambridge), Brett F. Gutstein (Rice University), Allison Pearce (University of Cambridge), Peter G. Neumann (SRI International), Simon W. Moore (University of Cambridge), Robert N. M. Watson (University of Cambridge)

Read More

Digital Healthcare-Associated Infection: A Case Study on the Security...

Luis Vargas (University of Florida), Logan Blue (University of Florida), Vanessa Frost (University of Florida), Christopher Patton (University of Florida), Nolen Scaife (University of Florida), Kevin R.B. Butler (University of Florida), Patrick Traynor (University of Florida)

Read More

Robust Performance Metrics for Authentication Systems

Shridatt Sugrim (Rutgers University), Can Liu (Rutgers University), Meghan McLean (Rutgers University), Janne Lindqvist (Rutgers University)

Read More