Sign in Subscribe

Public GitLab Repositories "Leak" Over 17,000 Secrets

Public GitLab Repositories "Leak" Over 17,000 Secrets

Cybersecurity specialist Luke Marshall examined 5.6 million public GitLab Cloud repositories and discovered over 17,000 forgotten secrets (API keys, passwords, and tokens) across more than 2,800 unique domains. The researcher noted that the majority of these secrets are still active.

Research Methodology

Marshall used the open-source tool TruffleHog to scan all public repositories on the platform. The researcher has conducted similar experiments in the past: previously, he scanned Bitbucket, where he found 6,212 secrets in 2.6 million repositories, and also checked the Common Crawl dataset used for training AI models, uncovering about 12,000 secrets there.

For the new research, Marshall wrote a Python script that iterated through all repositories via the GitLab public API, sorted them by project ID, and sent the list to AWS Simple Queue Service (SQS). Next, an AWS Lambda function retrieved a name from SQS, ran TruffleHog for it, and recorded the results in logs.

The entire investigation process took just over a day and cost the researcher $770.

Findings

Marshall discovered 17,430 confirmed "live" secrets in the repositories—almost three times more than in Bitbucket. The leak density (number of secrets per repository) was also 35% higher.

Per Marshall, most of the exposed data is relatively recent—dating back to 2018. However, during the analysis, Marshall also found a few very old keys, dated 2009, which still work today.

Developers most often inadvertently exposed Google Cloud Platform credentials (over 5,200 cases). Many MongoDB keys, Telegram bot tokens, and OpenAI keys were also discovered. Marshall found just over 400 leaked GitLab keys themselves.

Disclosure Process

Since the found secrets were linked to 2,804 unique domains, the researcher was unable to manually notify all affected parties. He automated this process: he used Claude Sonnet 3.7 with web search and a Python script to generate emails.

By notifying companies affected by the leaks, Marshall received several awards through bug bounty programs, totaling $9,000.

Per the researcher's report, many organizations revoked the exposed secrets after receiving notifications, but many other secrets can still be found on GitLab.