The post keeps saying "verified secrets" - how are they verified? Did the author attempt to login to each service? Or does verified just means that it looks like a valid token?
> Each Lambda invocation executed a simple TruffleHog scan command with concurrency set to 1000. This setup allowed me to complete the scan of 5,600,000 repositories in just over 24 hours.
Gitlab must have been thrilled about a bot cloning 5.6 million repo's in 24 hours. That doesn't really sound responsible to me.
That's 64 clones per second. That's quite a lot but it seems like something that a forge operating at the scale of GitHub can handle, especially if they were --depth=1 (which might have missed some secrets if someone was lazy about clearing their git history).
The post keeps saying "verified secrets" - how are they verified? Did the author attempt to login to each service? Or does verified just means that it looks like a valid token?
> Each Lambda invocation executed a simple TruffleHog scan command with concurrency set to 1000. This setup allowed me to complete the scan of 5,600,000 repositories in just over 24 hours.
Gitlab must have been thrilled about a bot cloning 5.6 million repo's in 24 hours. That doesn't really sound responsible to me.
That's 64 clones per second. That's quite a lot but it seems like something that a forge operating at the scale of GitHub can handle, especially if they were --depth=1 (which might have missed some secrets if someone was lazy about clearing their git history).
Gitlab*
I also thought the sleep(0.03) was cute. Some well deserved rest for the server to avoid hammering it.
If they don’t like, they will apply rate limiting? Assuming they were well behaved (user agent, IPs).
9000 in bounties for 17,000 secrets?
You could make as much in a month creating those vulnerabilities