SENSITIVE INFORMATION DISCLOSURE IN SOURCE CODE

Application's source code contains sensitive information that should not be exposed or accessible. Such disclosures often include hardcoded credentials, API keys, encryption secrets or other critical data embedded in the codebase.




VULNERABILITY

Sensitive information disclosure in source code occurs when developers add secrets directly to the code for convenience and forget to remove them before sharing the code. Debugging information or error messages included during testing can also be overlooked and end up in the final version. Sometimes, configuration files meant for local use get shared by mistake.

Third-party libraries can also reveal data if they are not properly managed. Code repositories with weak access controls can let unauthorized people see code with embedded secrets, making it easy for attackers to misuse that information.

IMPACT

The problems caused by the sensitive information disclosure in source code vulnerability can be severe and multifaceted. Below are some of the major issues that can arise:

Accessing Internal Repositories:

Navigating the Web Application Security Landscape

If the source code is stored in a public repository (like GitHub, GitLab or Bitbucket) attackers can easily browse or search through the code to find hardcoded secrets like API keys, database credentials or encryption keys.

Exploiting Version Control Systems:

Even if the code was removed from the latest version, attackers could retrieve old versions from the version history (e.g., Git logs) where sensitive information may still exist. This is especially true if the information was committed but not removed or properly masked.

Scanning for Secrets:

Attackers can use automated tools or scripts to scan for common patterns of sensitive data (e.g., looking for keywords like "password", "API key", "secret", etc.) in source code shared online, in public repositories or even in private repositories with weak access controls.

SOLUTION

To fix the vulnerability, follow these step-by-step solutions:

1. Revoke Exposed Credentials:

Immediately revoke or rotate any exposed credentials, such as API keys, database passwords, and access tokens. This will prevent attackers from using the exposed secrets.

2. Delete Sensitive Data:

Remove the sensitive data from the source code, commit history and any version control repositories.

3. Review Commit History:

Use tools like git log, git bisect or git reflog to identify when and where the sensitive information was added to the codebase.

4. Remove from Version History:

Use tools like BFG Repo-Cleaner or Git Filter-Branch to permanently remove sensitive data from the entire Git history.
# Example of using BFG Repo-Cleaner to remove a file containing secrets
bfg --delete-files 'secrets.txt' my-repo.git

5. Secure Storage:

Ensure that any future secrets are stored in secure ways such as environment variables, configuration management tools, or secret management platforms (e.g., HashiCorp Vault, AWS Secrets Manager).

6. Set Up Alerts:

Use monitoring services to set up alerts for exposed secrets or unusual access patterns in your code repository.

7. Limit Repository Access:

Ensure that only necessary team members have access to code repositories and sensitive data.

8. Enable Multi-factor Authentication (MFA):

Require MFA for all team members accessing code repositories to add an extra layer of security.
Author Avatar

Radhika Lad

Cyber Security Analyst

Location: Pune, India

Radhika is a web and network Pentester and ethusiast in cyber security domain. Her primary focus is on Vulnerability Assessment and Penetration testing of corporate networks, firewalls, web and cloud apps, mobile apps. Coming from finance and education background, she has a passion to get into the world of IoT and OT Cyber security. She is always on the path of learning and trying new things in the domain she likes.