explodingcamera, this gist would be much easier to read if you applied some light formatting to it. Perhaps even as little as adding a '.md' file extension to the gist "filename" would be sufficient to get word wrap.
Companies don't generally send out notifications like this for bug bounty reports or pentesting engagements - kind of implies that they found it being exploited in the wild.
Very interesting. I wonder if any private organisations setup a pseudo/canary repositories, that when pulled triggered an alarm? Or simply contained some monitored API keys or credentials to spot any activity/Insider threats.
Might be a neat idea for those businesses that are concerned about their private repos (either cloud hosted or self hosted).
May have picked up if anyone was able to exploit this.
5 comments
[ 3.1 ms ] story [ 24.3 ms ] thread[1] https://gist.githubusercontent.com/explodingcamera/57013844d...
Very interesting. I wonder if any private organisations setup a pseudo/canary repositories, that when pulled triggered an alarm? Or simply contained some monitored API keys or credentials to spot any activity/Insider threats.
Might be a neat idea for those businesses that are concerned about their private repos (either cloud hosted or self hosted).
May have picked up if anyone was able to exploit this.