Intentionally Leaking AWS Access Keys - GitLab
Apr 25, 24
These days, “Intentionally Leaking Access Keys” is its own genre of security research and blog post.
| Year | Author | Post |
|---|---|---|
| 2020 | Andrzej Dyjak | tweet thread |
| 2020 | Tutorgeeks | What happens if your AWS Credentials were leaked on GitHub. |
| 2021 | Paul Price | What happens after you accidentally leak secrets to a public code repository |
| 2021 | R. Tyler Croy | Intentionally leaking AWS keys |
| 2023 | Tibor Hercz | What happens when you leak AWS credentials and how AWS minimizes the damage |
| 2023 | Chris Farris | Public Access Key - 2023 |
| 2023 | Chris Farris | The Consistently Inconsistence response to Access Key Leaks |
| 2023 | Vijay Gawte | What happens when your AWS keys leak and how AWS minimises account damage |
| 2023 | Eduard Schwarzkopf | I Exposed AWS Access Keys, On Purpose: Here’s What I Learned and How I Boosted Incident Response |
| 2023 | Bar Kaduri & Tohar Braun | 2023 Honeypotting in the Cloud Report |
| 2024 | Noah Pack | What happens when you accidentally leak your AWS API keys? |
However, I noticed they mostly leak keys on Github, and ocasionally on popular websites. I wondered: what would happen if we leak keys on GitLab instead?
An attempt to unseat my friend Chris Farris as the “most incompetent Security Hero EVER”
GitLab public repositories
While less common than Github, Gitlab also supports public repositories. Bumbling through the process, I ended up with a Group and Project. I had to set the former to public to make the latter available. I don’t know what I’m doing ¯\_(ツ)_/¯
You can find it over at: https://gitlab.com/aws-test5694716/test-project
Leaking keys on GitLab
You can check out any of the previous blog posts for details on safe setup.
I leaked an AWS Access Key and Secret Key on GitLab on April 18th.
Then, dramatically … nothing happened?
In a week:
- GitLab did not automatically detect the leakage and notify me
- AWS did not automatically detect the leakage and quarantine the key
- Not even the threat actors seemed to care about GitLab
Why doesn’t anyone care about my leaked key?😔
GitLab Secret Scanning
GitLab has a similar secret scanning feature to GitHub: Secret Detection
But, it turns out that while the Free tier is eligible for this feature, Secret Detection is not enabled by default.
Additionally, Automatic Response is pay-gated behind the “Ultimate” tier.
Thankfully, I’m still in my free trial period for Ultimate. Once I set up Secret Detection, I gave it a second whirl. Things go much more as expected:
- 13:40:06 - Key Published
- 13:40:28 - AWSCompromisedKeyQuarantineV2 attached
- 13:40:33 - Email notification recieved
Where are the threat actors?
So that clarifies why no one was looking out for me:
- You don’t get security from GitLab by default
- You don’t get security from GitLab for free
But where were the threat actors? If this key were shipped to GitHub, we’d be seeing merry mining of Monero within minutes.
I suspect there are two contributing factors:
- The attackers go where the victims are: GitLab is much less popular a home for public repositories than GitHub.
- GitLab does not make discovery as easy: GitHub provides a firehose of events that attackers can use to monitor for secrets. In fact, they delay the firehose slightly to allow their secrets detection to race attackers.