Joe Leon

The Dig

October 31, 2024

7 Spooky Places Your Secrets Leak Online

7 Spooky Places Your Secrets Leak Online

Joe Leon

October 31, 2024

As we gear up for the spookiest time of the year, we reviewed our research from the past year to identify the seven eeriest spots where your API keys and passwords might be lurking online.

1. Deleted Forks on GitHub

Ever forked a repository on GitHub? Yeah. Me too. If you delete that fork, any data you committed might still be accessible. Just when you thought your secrets were buried for good, they still might be floating in the digital abyss.



GitHub's handling of deleted forks doesn't ensure complete data removal. Attackers can exploit this oversight to retrieve confidential code, API keys, or other secrets you believed deleted.

Read more about our findings on deleted forks.

2. Private Forks on GitHub

When open-sourcing software on GitHub, organizations often create a private, internal version (fork) of their tool before making it public.

This works by a user forking a repository (before it’s made public) and then committing additional features to the fork. Eventually, the private repository is made public, and the organization continues development work on its private fork.

But Beware! Data committed to the original “upstream” repository before it’s made public, is also public. It looks like this.


Dive deeper into the risks of private forks on GitHub.

3. Private Forks on Azure Repos

GitHub isn't the only platform with spooky vulnerabilities. Azure Repos has its own shadowy corners, where private forks can unexpectedly expose sensitive data. When users create a private fork of a public repository and then commit data to the private fork, all their private commits are publicly visible! 


Read about private forks on Azure Repos.

4. Postman Workspaces

This past April, we released our research on the thousands of secrets haunting  Postman workspaces. Since then, Postman has taken several proactive steps to protect their users from secrets leakage, like changing a workspace’s visibility to private if they detect a secret.

We revisited Postman this month, and while those efforts make a difference, Postman’s secret detection capabilities are limited. Depending on the type of secret you accidentally leak on a public workspace, it might be exposed for all to see.

Teams need to be vigilant when using public resources on Postman and to manually audit for any secrets before changing visibility settings.

See how secrets can leak through Postman.

5. Deleted Branches on GitHub

Deleting a branch after merging a PR on GitHub is super common, but some branches have a way of returning from the dead.  Did you know that you can still retrieve data from deleted branches? One small tweak to the way you run git clone can retrieve all of those deleted branches.


git clone <repo> -c "remote.origin.fetch=+refs/*:refs/remotes/origin/*"


This loophole can lead to the unintended exposure of credentials or sensitive code snippets, haunting your projects long after you've pressed "Delete Branch".

Learn about scanning deleted GitHub branches.

6. Edited Comments on GitHub

Accidentally posted a secret in a GitHub comment and then edited it out? Unfortunately, the original content might still be retrievable. We've found that edited comments can retain their initial versions, including any sensitive information initially included.



This means your API keys or passwords could still be accessible, lurking in the shadows of your comments’ past versions.

Explore how edited comments can leak secrets.

7. Base64-Encoded Text on GitHub

While GitHub proactively blocks plain-text secrets from being committed to public GitHub repos, they don’t currently block base64-encoded versions. Try committing this Base64-encoded AWS canary token on a public GitHub repo:


echo "YXdzX2FjY2Vzc19rZXlfaWQgPSBBS0lBMlVDM0JTWE1JWUVHSUVPRiBhd3Nfc2VjcmV0X2FjY2Vzc19rZXkgPSBWRUpDY2R0WS9sUGR2WmdWbnJqV1UxT3VzT1BKcEVPdkZtV1dycUJkCg==" > secret.txt
git add secret.txt
git commit -m "committing a base64 encoded secret to GH"
git push


Tools like TruffleHog can decode and unarchive data during scanning, dragging them out from the shadows of your code.  Relying solely on default protections isn't enough to keep encoded data safe.

Understand the risks of encoded secrets.

Stay vigilant, and don't let your secrets come back to haunt you this Halloween season!

The Dig

Thoughts, research findings, reports, and more from Truffle Security Co.