“First we thought the PC was a calculator. Then we found out how to turn numbers into letters with ASCII — and we thought it was a typewriter. Then we discovered graphics, and we thought it was a television. With the World Wide Web, we’ve realized it’s a brochure.” ― Douglas Adams
When you develop an application, often you could need to store some configurations. This data can contain a lot of sensitive informations, and this is a critical point if your sourcecode is hosted on a GitHub repository.
GitHub is a web-based Git or version control repository and Internet hosting service. It is mostly used for code. It offers all of the distributed version control and source code management (SCM) functionality of Git as well as adding its own features. It provides access control and several collaboration features such as bug tracking, feature requests, task management, and wikis for every project.
Many companies also use GitHub as a convenient place to host both private and public code repositories.
However sometimes employees accidentally publish sourcefiles that might contain sensitive information, like API keys or database credentials.
I’ve already talked about “dorks”, regarding the well known “Google Dorking”:
In 2002, Johnny Longbegan to collect interesting Google search queries that uncovers vulnerable systems or sensitive information, and calls them “Google dorks”.
We identify with “Google Dorking” the method for finding vulnerable targets using the google dorks in order to obtain usernames and passwords, email lists, sensitive documents and website vulnerabilities.
Similar to Google Dorking, GitHub Dorking uses specific search keys to find sensitive information in public repositories.