LocoMocoSec: Hawai'i Product Security Conference

Version control software has come a long way, and the barrier to creating an open source project has been lowered to a point of being negligible. Experienced and inexperienced developers alike use hosted version control systems, such as GitHub, to share their code with the world. This open sharing of ideas is beneficial, but does come with occasional risks - accidentally publishing credentials or sensitive data, to name one. This issue has become so prevalent that all major hosts have documentation on the removal of sensitive data, but it has also led to the creation of numerous tools which trawl repositories for such sensitive information (which, in the malicious case, is then stolen and abused).
These repository-scanning tools mean that time is of the essence. When a user accidentally publishes a credential, the damage an attacker can cause is limited only by the privilege of that credential. An AWS credential, once leaked, could allow an attacker to spin up EC2 instances for mining bitcoin. A Slack token could allow an attacker to access the information in a Slack workspace, or perform other malicious actions based on the scope of the token. Therefore, it’s important for us to stop the abuse of such tokens before they fall into the wrong hands. In this talk we will discuss our “token nuker” - the tool we use to search for accidentally published Slack tokens and revoke them before they can be abused. We will cover the history, evolution, and current state of our automation, in what we hope will serve to benefit other security teams and application developers.