Exploiting secrets – How leaked credentials can be exploited to gain access

The problem of publicly exposed secrets, such as API keys and other credentials, is a widespread weakness affecting organizations of all sizes. The scale of this problem was quantified in a year-long research study by GitGuardian which found 6 million secrets were leaked in public repositories on Github.com. The report also showed that nearly 5% of docker images contain at least one plain text secret.
This talk will examine why secrets are so frequent in public spaces despite being a highly valuable asset and how attackers discover these credentials. Building from this we break down three recent successful attacks which all used leaked credentials, CodeCov2021, Indian Government 2020 and the Lapsus breaches of 2022. Examining each different methodology used in these we will show the different techniques attackers used to harvest and exploit credentials. Finally, we break down the different methods and tools can be used to extract secrets from source code, reviewing the pros and cons of each.