How to Mitigate the Risks of Token Leaks
Access tokens are used in token-based authentication and allow users to access a website, an application or API. After verifying their identity, the user has no need to re-enter their credentials for the lifetime of the token, as the token serves as their entry ticket. When they are created, tokens are granted a defined scope which limits the actions that can be taken while authenticated with that token.
Prevalence of Technical Leaks
It is challenging for organizations to prevent technical data leakage such as exposed secrets in source code hosting platforms like GitHub. Both small and large enterprises have their own share of problems preventing them from ensuring credentials are never exposed publicly. This is a reality that has to be accepted and managed by organizations. In fact, by GitHub’s estimation, as well as independent research on the subject, mistakes causing these kinds of leaks happen incessantly.
A 2019 paper from researchers at North Carolina State University (NCSU) claims over 100,000 repositories they scanned contained exposed API tokens or cryptographic keys. The data were gathered over six months by scanning billions of files from real-time public GitHub commits and a public snapshot covering 13% of open-source repositories at the time.
Risk Mitigation Integrated in GitHub
That same year the paper was published, GitHub claimed to have warned select service providers about a billion tokens that had been made public on their platform by mistake. These tokens were detected by GitHub’s secret scanning service, which, at the time, only scanned public repositories. GitHub announced last month that the coverage has expanded to private repositories.
This secret scanning service consists of GitHub scanning the contents of repositories to find patterns of leaked secrets issued by their partners. When secrets are found, GitHub relays them to the partner who issued them, so they can then be revoked. Even fast detection and remediation by GitHub and their partners can leave time for malicious actors to do some damage, especially so with overscoped tokens.
As for tokens issued by other entities than GitHub’s partners, the problem remains whole and other solutions are necessary to mitigate it. Not all code hosting platforms have protection as advanced as GitHub, and secrets always have a way of ending up where they should not such as on forums, question and answer sites and paste sites.
Overall Risk Mitigation Strategy
In order to mitigate the risks from potential leaks of tokens or other secrets on GitHub, it is preferable to attack the problem from multiple angles. While GitHub enables their partners to revoke leaked tokens, most organizations are at risk of leaking secrets not issued by those partners.
In addition to expanding leaked token coverage on GitHub, organizations should also surveil other platforms which rarely offer such protection. Tokens inevitably end up being exposed in code snippets on StackOverflow or PasteBin, often by a developer in need of a hasty answer. There is also the issue of leaky buckets which can expose secrets publicly through human error. To prevent attacks based on those potential leaks, a wide coverage is required to quickly notify the organization so it can rectify the situation as soon as possible.
Firework, a product developed by Flare Systems, monitors recent commits as well as public repositories on GitHub to find code and any leaked secrets belonging to your organization and alert you directly. This approach is also applied on platforms like StackOverflow and PasteBin, providing a wider coverage of potential technical data leakage protection.
Contact us to learn more.