Skip navigation
Truffle Hog Finds Security Keys Hidden in GitHub Code

Truffle Hog Finds Security Keys Hidden in GitHub Code

A tool is now available on GitHub for finding security keys that might have been accidentally left behind in open source code.

Are the keys to your kingdom hidden in plain sight?

The secret keys securing your data might be publicly exposed, just waiting for the black hats to find them. If you think not, you might want to think again -- just to be on the safe side. Developers often hide keys in their code, then forget they're there. If the project is open source and posted to a public repository like GitHub, this could be problematic. Although finding keys hidden in source code can be a needle-in-the-haystack experience, a researcher has now made the job easier by publishing a tool on GitHub, Truffle Hog, for sniffing out inadvertently left behind secret keys that are waiting to be found.

The project is the work of Dylan Ayrey, who issued a warning about pastejacking back in May. If you're in DevOps, you might want to thank him, although the issuance of Truffle Hog might be something of a double edged sword. After all, if you now have a freely available tool to find doormats in your code under which you've hidden important keys, so do the bad guys -- and sooner or later they'll get around to looking through your code instead of somebody else's. Now might be the time to make sure you've left no keys hidden away before they come knocking.

The way Truffle Hog works is both clever and simple. A Python script goes through a repository's entire commit history looking for text strings that are 20 characters or longer, analyzing their Shannon entropy to find possible random strings of numbers and letters, which possibly means it's a key. If a high entropy string is found, it's printed to the screen.

According to commentors on a Reddit thread about Truffle Hog, Amazon Web Services has already been using a similar tool for the same purpose. "I have accidentally committed my AWS secret keys before to a public repo," user KingOtar wrote. "Amazon actually found them and shut down my account until I created new ones. Kinda neat Amazon."

"Probably because bots have been known to scan GitHub, snatch the keys, spin up massive AWS instances, then the owner finds out that he has a $2,000 bill," another Redditor replied. "It's cheaper for Amazon to preemptively do this."

It might be cheaper for you too if you follow Amazon's lead. Again, like any good security tool, Truffle Hog is certain to end up in the arsenals of both white and black hats. Having a lost and forgotten but still in use security key recovered by a black hat would probably make for a bad week.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.