Joe Leon

The Dig

April 12, 2024

Do Secrets Leak on Public GitHub Gists in 2024?

Do Secrets Leak on Public GitHub Gists in 2024?

Joe Leon

April 12, 2024

Yes. But not as many as we expected.



What’s a gist? Technically, it’s a git repo. GitHub users treat them like scratchpads - a place to store arbitrary information (ex: one-off script, log output, etc). Gists can be public or secret (default is secret); however, no gist is fully private, since anyone with a Gist link can access the data stored there.


There’s a history of companies getting breached from secrets in Gists, such as the 2014 Uber breach which stemmed from an AWS key posted in a public Gist (screenshot below from Uber’s court filing)



Given this history, we were eager to dig in and see how many keys might still be leaking in Gists.


We spent one week tracking GitHub’s public gist feed. Every ten minutes, we requested the most recently published public gists. Then, we scanned each one for secrets using the following TruffleHog command:


trufflehog github --repo https://gist.github.com/<GIST_ID>.git --gist-comments


Over the course of 7 days, we scanned 37,323 public gists.



Surprisingly, we only found 11 gists containing a live credential! Honestly, we expected to find a lot more of them, since we find hundreds of live credentials on public GitHub repositories every day. We challenge our readers to repeat this experiment and let us know if you find different results!

Among the 11 gists containing secrets, we identified 10 unique secrets.




At the conclusion of our research, we re-verified each secret and found that 7 secrets were still live. That’s consistent with research we did last fall on how often developers actually rotate leaked keys (74% of the time).


Why aren’t more secrets leaking on Gists?

Gists Default to Secret.


We used GitHub’s official List public gist endpoint to gather data. The API documentation states users can fetch the most recently updated public gists. 



There is no publicly available feed to track the most recently published secret gists. Since gists are secret by default, our assumption is that most users create secret gists, unless they have a compelling reason to make them public (or don’t realize). As a result, we only analyzed a fraction of the total gists published during our research period.


Additionally, we assume that despite secret gists being publicly accessible to anyone with the correct link, users find a sense of security in the term secret and include plaintext credentials at a higher rate than in public gists.



Secret Gists Cost the same as Public Gists (free!)


There is no difference in price between public and secret gists (they’re both free). While some SaaS services charge more for users to make their data non-public, GitHub lets users create unlimited public and secret gists. This prevents users from having to compromise on data security due to tiered plans and associated costs.


Gists Are Git Repositories, but Only Technically


While you can run git clone <gist repo url> and interact with a Gist like a normal GitHub repository, most users don’t. GitHub’s Gist UI is designed for users to copy/paste files into a text box and then share the link for collaboration. This is a fundamentally different workflow than committing to git. 

Instead of accidentally committing a secret via a command-line commit, users have to look directly at their plaintext credential as they paste it into a Gist. This behavior might cause users to pause and reconsider publishing plaintext credentials. 


GitHub Secret Scanning & Push Protection?


GitHub recently launched push protection that prevents some types of secrets from being committed to public repositories. Unfortunately, that does not appear to cover Gists (despite the fact that Gists are git repositories). This means that a user can post a sensitive key on a public gist without being blocked. 


However, GitHub’s secret scanning (and notifications) do cover GitHub Gist files. If you post one of the covered key types, GitHub will likely see it and then work with the SaaS provider to revoke the key and/or notify you.


We believe GitHub’s secret scanning contributed somewhat to the relatively few live credentials we discovered during our research.

Importantly, while we did not find any secrets in Gist comments during our research, GitHub's secret scanning does not cover Gist comments.


I use Gists. What should I do?

We recommend periodically running TruffleHog against your gists (public and secret). 


First, query the List Gists for an Authenticated User API endpoint to get a list of all of your gists. Depending on how many you have, you’ll need to use pagination.

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/gists


Then, run each Gist through TruffleHog’s Gist and Gist Comments scanner.


trufflehog github --repo https://gist.github.com/<GIST_ID>.git --gist-comments


If you find a key, we recommend immediately rotating that key, as well as looking for signs of misuse in any available logs.

The Dig

Thoughts, research findings, reports, and more from Truffle Security Co.