Intentionally Leaking AWS Access Keys - GitLab

Apr 25, 24

These days, “Intentionally Leaking Access Keys” is its own genre of security research and blog post.

Year Author Post
2020 Andrzej Dyjak tweet thread
2020 Tutorgeeks What happens if your AWS Credentials were leaked on GitHub.
2021 Paul Price What happens after you accidentally leak secrets to a public code repository
2021 R. Tyler Croy Intentionally leaking AWS keys
2023 Tibor Hercz What happens when you leak AWS credentials and how AWS minimizes the damage
2023 Chris Farris Public Access Key - 2023
2023 Chris Farris The Consistently Inconsistence response to Access Key Leaks
2023 Vijay Gawte What happens when your AWS keys leak and how AWS minimises account damage
2023 Eduard Schwarzkopf I Exposed AWS Access Keys, On Purpose: Here’s What I Learned and How I Boosted Incident Response
2023 Bar Kaduri & Tohar Braun 2023 Honeypotting in the Cloud Report
2024 Noah Pack What happens when you accidentally leak your AWS API keys?

However, I noticed they mostly leak keys on Github, and ocasionally on popular websites. I wondered: what would happen if we leak keys on GitLab instead?

An attempt to unseat my friend Chris Farris as the “most incompetent Security Hero EVER

GitLab public repositories

While less common than Github, Gitlab also supports public repositories. Bumbling through the process, I ended up with a Group and Project. I had to set the former to public to make the latter available. I don’t know what I’m doing ¯\_(ツ)_/¯

You can find it over at:

Leaking keys on GitLab

You can check out any of the previous blog posts for details on safe setup.

I leaked an AWS Access Key and Secret Key on GitLab on April 18th.

Then, dramatically … nothing happened?

In a week:

  • GitLab did not automatically detect the leakage and notify me
  • AWS did not automatically detect the leakage and quarantine the key
  • Not even the threat actors seemed to care about GitLab

Why doesn’t anyone care about my leaked key?😔

GitLab Secret Scanning

GitLab has a similar secret scanning feature to GitHub: Secret Detection

But, it turns out that while the Free tier is eligible for this feature, Secret Detection is not enabled by default.

Additionally, Automatic Response is pay-gated behind the “Ultimate” tier.

Thankfully, I’m still in my free trial period for Ultimate. Once I set up Secret Detection, I gave it a second whirl. Things go much more as expected:

13:40:06 - Key Published 13:40:28 - AWSCompromisedKeyQuarantineV2 attached 13:40:33 - Email notification recieved

Where are the threat actors?

So that clarifies why no one was looking out for me:

  1. You don’t get security from GitLab by default
  2. You don’t get security from GitLab for free

But where were the threat actors? If this key were shipped to GitHub, we’d be seeing merry mining of Monero within minutes.

I suspect there are two contributing factors:

  1. The attackers go where the victims are: GitLab is much less popular a home for public repositories than GitHub.
  2. GitLab does not make discovery as easy: GitHub provides a firehose of events that attackers can use to monitor for secrets. In fact, they delay the firehose slightly to allow their secrets detection to race attackers.