Aqua Security finds critical data exposures in SCM systems

Aqua Security has uncovered significant exposure of sensitive enterprise information in leading Source Code Management (SCM) systems. The security research highlights the long-term exposure of credentials, API tokens, and passkeys, collectively referred to as secrets, within publicly accessible repositories on platforms such as GitHub, GitLab, and Bitbucket.

According to Aqua Security’s research team, Aqua Nautilus, even deleted or updated code commits within Git-based infrastructure can retain secrets, exposing organisations to potential threats for extended periods. The team scanned over 50,000 repositories from the most popular 100 organisations on GitHub, discovering active secrets from both open-source and enterprise entities, including Cisco and Mozilla.

"Our findings are truly alarming, and it is crucial that everyone involved in software development grasps the seriousness of this issue," said Yakir Kadkoda, Aqua Nautilus Lead Security Researcher. "For years, we’ve been educating developers not to hard-code secrets into their code. Now, it turns out that even doing this just once permanently exposes that secret, even when they thought it was deleted or overwritten. The impact of a sensitive data leak can lead to unauthorized access, compromised security controls, and significant financial or reputational damage. This would be devastating."

Among the secrets identified were API tokens belonging to Cisco Meraki and the Mozilla project. The Cisco security team confirmed the exposure of privileged Meraki API tokens, which could allow attackers to access network devices, Simple Network Management Protocol secrets, and camera footage, posing a significant security threat to the affected parties. Mozilla acknowledged the leakage of a critical API token for its FuzzManager and an employee's API token for sql.telemetry.mozilla.org, the latter providing access to confidential information related to Mozilla products and business.

Nautilus researchers also discovered an Azure service principal token belonging to a large healthcare company in a Git commit. This high-privilege token could potentially allow an attacker to access credentials to the internal Azure Container Registry, posing a risk of a supply chain attack.

In response to these findings, all exposed secrets were immediately revoked. The research underlines the persistent nature of "phantom secrets" in SCM systems, as even code that has been overwritten or deleted can remain accessible, thus exposing secrets over time. Despite secure coding practices advising against hard coding of secrets, many developers continue this practice, often relying on secret scanning tools to mitigate the risk.

"The findings once again reinforce the best practice that secrets should never be put into code, not even for testing purposes, and security teams must be able to monitor this," said Amir Jerbi, CTO and co-founder of Aqua Security. "The software supply chain is optimized for speed and convenience, but this cannot come at the expense of secure engineering practices."

Supporting these insights, IDC research indicates that many organizations are overly confident in their ability to secure application secrets. "While organisations show high confidence in their ability to secure secrets, among DevSecOps tools the adoption of secrets management solutions is among the lowest," said Katie Norton, Research Manager, DevSecOps & Software Supply Chain Security, IDC.

Aqua Security has indicated that come August, its customers using the Software Supply Chain Security module will have capabilities to prevent developers from committing code with embedded secrets and scan for phantom secrets hidden within their SCM file systems.