Page 71 - Cyber Defense eMagazine February 2024
P. 71

*Emergent trends

            While everything from Redis credentials to Azure Keys were found among the releases, a few notable
            trends become apparent in our analysis:

               -   Google API key leaks have grown steadily over time, including a very large spike that occurred in
                   2020.
               -   Telegram bot tokens, found to be valid, have been leaked with increasing frequency, notably
                   doubling in the first part of 2021 and spiking again in early 2023.
               -   A significant spike in leaked database credentials started in 2022 and continued through the end
                   of the research window.



            *Same secret, different releases

            One thing that might stand out from these findings is the unbalanced ratio of unique secrets found vs
            total found across all releases. This is evidence that once a developer adds and publishes a secret, it is
            likely going to stay in the code across multiple releases. This is due, in part, to the fact that publishing
            tools  lack  sensible  defaults  for  ignoring  files.  PyPI  lacks  safeguards  for  what  you  exclude  from  a
            distribution.



            For example, Python does not honor `.gitignore` settings when a package is built. While `.gitignore` is
            great for keeping files out of your git history, that is the whole of its job. There are solutions like using
            `setuptools-git`, which you can use to safeguard accidental inclusion. This works for local configuration
            files, like `.cookiecutterrc` and .pypirc files. For reference, we found  43 `.pypirc` files containing PyPI
            publishing credentials.



            *Yanked files are still accessible

            When a developer releases something they didn't intend to, their instinct might be to yank it back out of
            the project. Unfortunately, the yanking mechanism in PyPI does not actually remove the file from the
            server; it only marks the file to be ignored by an installer by default. If a user specifies the yanked version,
            it will still be used. The file is still downloadable, likely forever. Files are only completely removed from
            PyPI if they have known malicious code.



            *Valid secrets granting unintended access

            Here is a partial list of the most common types of valid secrets we found, which could give anyone access
            to the associated systems.








            Cyber Defense eMagazine – February 2024 Edition                                                                                                                                                                                                          71
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   66   67   68   69   70   71   72   73   74   75   76