git diff) the list of files with its parent commit,” Briznov said. Once deleted files were restored, a simple search for secrets that were still active was performed through another automation. AI made the exploit much easier: Interestingly, Brizinov relied on AI to do a lot of routine tasks in the exploit. For instance, a small platform to view and analyze file directory changes in a git repository was built using AI to visualize what objects are created, changed, and deleted.”Obviously this was an overkill for this project, but with vibe-coding, it took me less than 5 minutes, so why not?” Brizinov said. Additionally, AI was used to find public GitHub accounts associated with the list of companies Briznov chose to target.Leaked secrets often came from binary files like .pyc or .pdb, accidentally committed during development. These compiler-generated fields can expose sensitive data if not properly excluded.GitHub did not respond to CSO’s queries regarding Brizinov’s findings and how to manage the risks. Developers can, however, turn to GitHub’s GHAS features like Secret Scanning and Push Protection for detecting and blocking commits containing secrets. GitHub recently unbundled these offerings as individual subscriptions for wider and easier adoption.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3969648/github-secrets-deleted-files-still-pose-risks.html
