• Dev Notes
  • Posts
  • GitHub Turns on Default Protection Against Secret Leaks

GitHub Turns on Default Protection Against Secret Leaks

Good morning! GitHub has enabled a new "push protection" capability by default for all public repositories to automatically scan code commits for accidental secret credential leaks. Stack Overflow launched a paid API to let AI systems access its high quality, human-generated programming content, with Google signing on first to improve its Gemini coding assistant. A company called YX International that routes global text messages left a database exposed that contained sensitive two-factor authentication codes, demonstrating vulnerabilities in how user data flows through interconnected third-party systems.  

GitHub Turns on Default Protection Against Secret Leaks

Recently, GitHub has seen lots of accidental leaks of sensitive information like API keys and tokens in public repositories. These accidental credential leaks can lead to major security issues like data breaches and reputation damage if hackers gain access.

The Problem: In just the first 8 weeks of 2024 alone, GitHub detected over 1 million leaked secrets in public repositories. That comes out to around 15 leaks every minute.

To combat this issue, GitHub has enabled a new security capability called "push protection" by default for all public repositories.

What Push Protection Does

  • Automatically scans code commits during git push actions, checking for over 200 token types and patterns from 180+ services

  • Blocks the commit if a potential secret credential is detected until the user removes the secret or confirms it is safe to share publicly

This prevents accidental secret leaks before they happen.

Organizations using GitHub Enterprise also gain access to extra features like advanced secret scanning for private repositories through GitHub Advanced Security.

Users retain some flexibility:

  • Can fully disable push protection if they want in their security settings, though this is not recommended by GitHub because it removes a layer of defense against leaks

  • Can allow specific secrets to pass through push protection if they are sure they are safe to share

Read More Here

Stack Overflow Introduces Paid API for AI Building

Stack Overflow has faced challenges recently as developers shift to using AI coding assistants.

The Issue: AI systems need Stack Overflow's high quality, human-generated content for training. But they also risk replacing the site's main utility for developers.

Stack Overflow's Solution: Paid API launched to access Stack Overflow content for AI development. Requires attribution back to relevant posts.

Key Details

  • Google signed on first, using it to improve its Gemini AI assistant's coding abilities. Lets Gemini leverage the platform's community expertise.

  • Addresses Stack Overflow's falling organic traffic. API helps monetize data in the AI era.

Easier for AI developers to incorporate programming knowledge into models. But no more free access to Stack Overflow data. The site believes its curated content has tangible value worth paying for.

Read More Here

Text Message Company Leaks Access Codes

A company called YX International routes text messages between cell networks worldwide. They left one of their databases openly accessible on the internet without a password. Researcher Anurag Sen discovered the unprotected database and realized it contained sensitive two-factor authentication codes.

  • The logs included one-time passcodes and account recovery links meant to be sent via text message to sites like Facebook and Google.

  • If obtained, these codes could have granted hackers access to user accounts protected by two-factor authentication.

While text message-based two-factor authentication is convenient, it is less secure than other methods. Texts can be intercepted when routed through untrusted parties. This incident demonstrates vulnerabilities around how user data flows through third-party systems.

YX International claims to transmit 5 million daily text messages globally. They have now secured the database, but it is unclear how long information was exposed. Major tech companies have not publicly commented on the issue.

As user data increasingly moves through interconnected systems, we need:

  • Stricter security practices around sensitive infrastructure like SMS routing

  • Safer alternatives for authentication beyond text message codes

  • Better rules and standards for privacy protections and user security across third-party services

Read More Here

🔥 More Notes

Youtube Spotlight

How a Formula 1 Race Car Works

Click to Watch

As you guys know the first F1 race of the season was this weekend. This video will show how a Formula 1 race car works, Animagraffs covers everything from aerodynamics and suspension to the engine, braking system, safety features, cockpit design, and more.

Was this forwarded to you? Sign Up Here