Microsoft-owned GitHub has expanded its token scanning service for identifying exposed developer credentials, bringing to several major cloud firms that provide access tokens.
GitHub’s new token scanning partners include Alibaba Cloud, AWS, Azure, Google Cloud, Mailgun, npm, Slack, Stripe, and Twilio.
GitHub already scans for its own OAuth tokens and personal access tokens and if it finds exposed credentials, GitHub notifies cloud providers, which in turn alerts the owner of the credential. The new partnerships mean GitHub's token scanning include access token formats from these firms.
Now if developers accidentally publish a token for products like Atlassian's Jira or chat app, Discord, the provider gets notified about a potential match -- within seconds, according to GitHub -- allowing them to revoke the token before it’s used maliciously, explained GitHub’s Justin Hutchings.
The token scanning service attempts to resolve a common problem that occurs when developers hard-code access keys and API keys for third-party services in apps or if they publish them in a pubically accessible repository, like on GitHub. In some cases, the keys can be used by an attacker to access sensitive data or systems that should normally be protected by those access keys.
Slack or Discord tokens, for example, could give access to private chats between developers who may be working with sensitive customer data.
GitHub’s token scanning works by scanning millions of commits pushed to public repositories hosted on GitHub. It scans for known token formats and when a match is found, it notifies the appropriate service provider who then should revoke the tokens and notify affected users.
Discord did just this a few weeks ago after a developer posted a Discord token in a pubic repository on GitHub.
GitHub has been running a private beta of the token scanning service with several cloud providers since April last year.
GitHub’s Patrick Twoomey explained last year that the token challenge arises from modern cloud-based development practices which involve “composing cloud services”, often with the help of access tokens.
“Composing cloud services like this is the norm going forward, but it comes with inherent security complexities,” wrote Twoomey. “Each cloud service a developer typically uses requires one or more credentials, often in the form of API tokens.
“In the wrong hands, they can be used to access sensitive customer data—or vast computing resources for mining cryptocurrency, presenting significant risks to both users and cloud service providers.”
GitHub has been scanning pubic repositories for GitHub OAuth tokens since 2015 and today said that since then it has flagged one billion tokens for validation by providers which then decide whether to revoke the token.