From trufflesecurity.com
Millions of Accounts Vulnerable due to Google’s OAuth Flaw ◆ Truffle Security Co.
0 1
Millions of Americans can have their data stolen right now because of a deficiency in Google’s “Sign in with Google” authentication flow. If you’ve worked for a startup in the past - especially one that has since shut down - you might be vulnerable.
on Jan 14
From trufflesecurity.com
You can Access Private Azure DevOps Repo Data ◆ Truffle Security Co.
0 0
A few weeks ago, we introduced a new class of vulnerability (Cross Fork Object Reference) and shared how they could be used to access deleted and private repo data on GitHub. Well, we’re back. Same topic, different provider. Except in some ways, it’s worse in the case of Azure DevOps (ADO).
on Sep 12
From trufflesecurity.com
TruffleHog Partners With Hugging Face to Scan for Secrets ◆ Truffle Security Co.
0 1
We're happy to announce that we've partnered with Hugging Face to bring TruffleHog’s secret scanning to the Hugging Face Hub.
on Sep 4
From trufflesecurity.com
TruffleHog now finds all Deleted & Private Commits on GitHub ◆ Truffle Security Co.
0 0
TruffleHog can now enumerate Cross Fork Object References (and deleted git history), and then scan them for secrets.
on Aug 4
From trufflesecurity.com
Anyone can Access Deleted and Private Repository Data on GitHub ◆ Truffle Security Co.
0 0
You can access data from deleted forks, deleted repositories and even private repositories on GitHub. And it is available forever. This is known by GitHub, and intentionally designed that way.
on Jul 27
From trufflesecurity.com
Secrets in Source Code Are Not A Code Security Problem ◆ Truffle Security Co.
0 1
Seven years ago I created TruffleHog; today I'm putting this blog out with the creator of GitLeaks, to reshape the industry on how we think about secrets in our code. Many companies now offer secret scanning DevSecOps CI/CD suite to keep your source code secure. They’re wrong. API keys in your...
on Jul 25
From trufflesecurity.com
0 0
TruffleHog is an open-source secret scanning engine that detects and helps resolve secrets across your entire tech stack. Learn more...
on Jul 25
From trufflesecurity.com
Credentials Leaking with Subdomain Takeover ◆ Truffle Security Co.
0 0
We’re disclosing new techniques to steal sensitive data in localStorage (like API keys and passwords) via subdomain takeover.
on Jun 3
From trufflesecurity.com
Stop Recommending JWTs (with symmetric keys) ◆ Truffle Security Co.
0 0
This post focuses on the popular symmetric cryptography choice, and our analysis of its implementation in the wild.
on May 28
From trufflesecurity.com
(The) Postman Carries Lots of Secrets ◆ Truffle Security Co.
0 0
Postman, the popular API testing platform, hosts the largest collection of public APIs. Unfortunately, it’s become one of the largest public sources of leaked secrets. We estimate over 4,000 live credentials are currently leaking publicly on Postman for a variety of popular SaaS and cloud providers.
on Apr 25
From trufflesecurity.com
The Keyboard Button that Displays Linux Root Memory ◆ Truffle Security Co.
0 0
You might be wondering, what button on the keyboard could possibly leak root memory? Well, there's this button to the right of the backspace button, above the insert button, which I, and probably you too, had literally never pressed (until recently). It's labeled "SysRq,".
on Apr 16
From trufflesecurity.com
TruffleHog Now Detects AWS Canaries without setting them off ◆ Truffle Security Co.
0 0
Today we’re unveiling a novel way to identify canarytokens.org canaries completely statically without setting them off. Thinkst offers self hosted, and paid alternatives that are protected from these techniques. We’re open sourcing this capability and including it in TruffleHog.
on Feb 29
From trufflesecurity.com
The Risks of a Leaked Stripe API Key - Truffle Security
0 0
Millions of businesses use Stripe’s payment processing platform everyday. What could happen if a Stripe API key is leaked (or stolen)?
on Feb 4
From trufflesecurity.com
Research Uncovers AWS Account Numbers Hidden in Access Keys - Truffle Security
0 0
Our interview with Tal Be'ery, the researcher who discovered a way to extract AWS account numbers from AWS access keys ids.
on Jan 20, 2024
From trufflesecurity.com
Google OAuth is broken (sort of) - Truffle Security
0 0
A Google Oauth vulnerability that allows employees to maintain access to services after they're offboarded.
on Dec 16, 2023
From trufflesecurity.com
Unearth Your Secrets - Truffle Security
0 0
Truffle Security offers the first automated solution to continuously scan your environment for secrets like private keys and credentials, so you can protect your data before a breach occurs.
on Nov 9, 2023
From trufflesecurity.com
Thousands of GitHub Comments Leak Live API Keys - Truffle Security
0 0
GitHub Issue and Pull Request comments contain thousands of live API keys and passwords. TruffleHog now supports scanning GitHub Issues/PRs.
on Oct 5, 2023