Daniel Elice

Secrets in Cleartext

In today’s digital world, the security of sensitive information is important. However, despite advances in technology, a glaring issue persists: secrets – such as API keys, passwords, and tokens – are often left exposed in cleartext within various applications and platforms.

A recent article from The Hacker News highlights the importance of addressing these exposures. The article discusses the growing problem of secrets being stored in cleartext across applications, systems, and cloud environments. These secrets range from authentication credentials to sensitive configurations, often stemming from misconfigurations or simply just oversight by developers and security professionals.

My Analysis

At previous organizations I’ve worked with, I’ve seen developers sometimes send API keys or tokens in cleartext with the intent to change or rotate them later, only to forget. This creates a dangerous window where the secret is exposed and vulnerable to compromise.

Two tools I’ve previously assessed/used to help address this issue are:

  1. n0s1 Secret Scanner: A previous co-worker and good friend of mine, Marcelo Sacchetin, developed an open-source secret scanner for many common applications. The tool scans the entire content of tickets or messages using regex. It’s simple to configure and easy to customize based on what your organization deems as important. The end result… a secure list of secrets or keywords providing security personnel the option to proactively remove these secrets before they get into the hands of an attacker.
  2. Material Security: Material Security offers multiple solutions focused on safeguarding email traffic. The tool adds an extra layer of protection, ensuring that even if an attacker gains access to an email account, they cannot exploit sensitive information stored or shared via email. The platform emphasizes minimizing access to sensitive data and protecting users through advanced detection and alerting on suspicious activity.

These are two examples of tools which provide crucial functionality to identify, protect, and secure secrets across both codebases and communication platforms.

Leave a comment