Exposed Git Config Files Leak Thousands of Cloud Credentials

do you know about any services like file cloud for creating or helping to create your own personal cloud storage in home? are there services that build it and ship it can you build it and network it yourself? idk not a tech wiz just curious

i see you backed down from the shitty ai dubs lol

Man, what happened to the age old best practice of setting the secret/api key in an environment variable, then reference/obtain the value in the source code from the environment variable

With the current speed of leaks, I will have to consider any of my online accounts to be open and public property.

imagine not using code secrets correctly.

IMO we should just develop a habit to create our environment file one directory up the git project. So that even if you accidentally forget to put it in your .gitignore, it wouldn't get checked out.

Open source is a meme.

GitHub is where I go to get free openai keys

Next reason to use zero knowlage structure instand of train ai on user private data

this really shines a light on the hidden risks of sloppy Git practices! the script breakdown is fascinating.

ahh yes... it "leaked". Conveniently right after updating the icloud service terms and conditions to explicitly state that they are not at fault for these kinds of exploits.
Computers were definitely invented for your entertainment and not to monitor/control the exchange of information.

now I know why I see "why gitlab?"

Thank you for listening to us and dont activate this akward ai translation

I leaked 2 database password and 1 api key last week (I know I am a dumbass, but I just started my developer journey) so thank, I didn't knew the api key scanner existed. It will be very helpfull

Ah so that's why I got kicked out of epic games repo

Smooth af 😂

I have some personal domains set-up for workers and object storage. Within past few days i am getting a lot of hits on my storage subdomain

Self-host, problem solved

Git gud

hmhmmmmmmmmm

Always revoke

Was just looking at some logs from Apache and stuff and it's so common to get both wordpress config and .git/config requests passing by

Thank you for not forcing AI Voiceover on this video! Finally a watchable video again

I can't even get Outlook to create POP account.. I changed the password 3 times... FFS... lolz...

This is not a hack, git issue or anthing like that. It's just insane skillissues and total ignorance og security. It's not a hack when they are themselves publishing their secrets.

And this is why I'm glad to have a locally hosted git server on an intranet.

Having secrets in a commit is insane 😂

“This is a bucket.”
“Dear God.”
“There’s more.
“No.”
“It contains the credentials of every person in this room.”

Tip: Also use .dockerignore and ensure you exclude .env and .git/ folder files as well. That’s easy to forget. Also: NEVER store secrets in plain text on the file system unencrypted, a.k.a. Have it always be “encrypted at rest”. At least for production credentials if not for non/pre-production stuff.

basically a script kiddy took 30mins to use things that was already available online.
seems to me that its 100% github fault for building a shitty website.

why didnt github have a simple monitor script that scan the uploaded files and warn people about this?
like: WARNING you uploaded loging credential you dumdumb!! REMOVE this

Or to just use a .env.example file

OH MY ZSH!

I wonder what happens if you make a decoy git repo config with an infinite-loop in the structure?

The problem is not keys in project, the problem is exposing .git repo lol it's even bigger issue

time to shift left to onprem & good ol trusty middleware

Hey Outlaw, could I ask you a question?

How TF is this git directory 18 GB??

Epic visualization!

.

I don't want to help the attackers, but the step of obtaining the creds from .git/config can be skipped, using a tool like git-dumper to download the whole repo, and that my friend would increase the target pool to apps not even using github or it's token auth

Uh.... I thought we're supposed to use private keys?

Code REVIEW, MAN!!!
why wasn't this caught in code review?
There are commit hooks to avoid this...

This is exactly why I host sensitive git repo's on premise lmao

This channel and comments always read as if its a room full of experts. Except nobody has a real clue what they are talking about.

Your first commit should be gitignore the env

Are you now using AI for your graphics? Ewww.

do I misunderstand something or did they just not use .gitignore? was there something else?

"There is no cloud, just someone else's computer."