I was on GitHub today, and I had a thought about mining database, account and server passwords of public repositories where the developer has forgotten to remove the password from the source code before pushing to the public repository.
I did a simple test using GitHub’s search using certain keywords eg:
- root password (http://github.com/search?type=Code&language=&q=root+password&repo=&langOverride=&x=0&y=0&start_value=1)
- db_password (http://github.com/search?type=Code&language=&q=db_password&repo=&langOverride=&x=0&y=0&start_value=1)
- db_pass (http://github.com/search?type=Code&language=&q=db_pass&repo=&langOverride=&x=0&y=0&start_value=1)
- server password (http://github.com/search?langOverride=&language=&q=server+password&repo=&start_value=1&type=Code&x=0&y=0)
It only takes you to go through about 10 pages of search results (“root password” has over 10,000 results) and you can see a few password’s that look like real. GitHub do have an article about remove sensitive data (http://help.github.com/removing-sensitive-data/) but also has a good statement line saying “Once the commit has been pushed you should consider the data to be compromised. Period.” which is very true but it seems there are alot of developers out there that our committing there passwords. I wonder how many hackers have prowled through GitHub looking for passwords and in result successfully been able to pull of an attack.
However, the best search term is “gmail password” (http://github.com/search?type=Code&language=&q=gmail+password&repo=&langOverride=&x=0&y=0&start_value=1) which as you can see, the first result looks like a real gmail password. I haven’t tested any of these passwords but I’m sure there is plenty of real passwords that developers have committed.
So remember, DON’T COMMIT YOUR PASSWORDS!