Releases
In the press
Tech Crunch
Employees of failed startups are at special risk of stolen personal data through old Google logins
Employees at failed startups are at particular risk of having their data stolen..
Forbes
Millions Of Sign-In-With-Google Users Warned Of Data-Theft Vulnerability
The bad new is that Google’s OAuth authentication can be exploited by attackers to gain access to sensitive data from, potentially, millions of accounts.
The Hacker News
Google OAuth Vulnerability Exposes Millions via Failed Startup Domains
New research has pulled back the curtain on a "deficiency" in Google's "Sign in with Google" authentication flow that exploits a quirk in domain ownership to gain access to sensitive data
HelpNet Security
TruffleHog: Open-Source Solution for Scanning Secrets
TruffleHog is an open-source scanner that identifies and addresses exposed secrets throughout your entire technology stack.
SecurityWeek
Thousands of Popular Websites Leaking Secrets
Code security firm Truffle Security warns that thousands of the domains in the Alexa top 1 million websites list are leaking secrets, including credentials.
TechCrunch
India’s national logistics portal exposed sensitive personal data, trade records
Called the National Logistics Portal-Marine, the website made the sensitive and private data public due to misconfigured Amazon S3 buckets. It also carried a JavaScript file that included login credentials into the web source code. Security researcher Bob Diachenko found the issues with the Indian portal through the open source security tool TruffleHog.
The New Stack
The Challenges of Secrets Management, from Code to Cloud
TruffleHog is a powerful open source tool for identifying secrets and sensitive information across an organization’s entire software development life cycle (SDLC). In addition to identifying secrets in code, TruffleHog can also detect insecurely shared secrets in other areas of the SDLC, such as configuration files, build scripts and deployment pipelines.
iTnews
Docker users careless with secrets
The researchers emphasised that image creators need to be warned against uploading secrets to public Docker registries, and when deploying containers based on downloaded images, users should be warned that secrets like private keys might already be compromised. They also suggest that “credential-finding tools such as TruffleHog or SecretScanner … be integrated on both sides of the Docker paradigm.”
tl;dr sec
[tl;dr sec] #199 - Supply Chain Security Overview, Container Escapes, AI + Cybersecurity
Truffle’s Joe Leon et al scanned the Alexa Top 1 Million for https://.com/.git, and found 4,500 exposed their source code (note: this is not even looking at sub paths, only top level).
Expa
Founder Spotlight: Dylan Ayrey of Truffle Security
As George Washington and Bill Belichick have often said: The best defense is a good offense. One of the best examples of this adage in action is Truffle Security, which helps companies identify and address credentials and passwords before hackers are able to find and exploit them.
SkyNet Tools
