Tim Anderson’s article explores how lingering commit history on GitHub enabled a researcher to find secrets—including admin tokens for Istio—highlighting security risks and mitigation strategies for developers.

Security Risks from Deleted GitHub Commits: Admin Access to Istio Exposed

A recent investigation by security researcher Sharon Brizinov has brought attention to a lesser-known threat in source control use: secrets disclosed in ‘deleted’ GitHub commits can persist in public archives, exposing critical credentials long after a developer tries to remove them.

Key Incident Details

  • Brizinov searched public GitHub commit archives for forgotten or ‘deleted’ commits.
  • He uncovered a Personal Access Token (PAT) for an Istio project developer, which granted admin access to all Istio repositories. Istio is a major open-source service mesh solution used alongside Kubernetes in many enterprises.
  • The exposed token was revoked after discovery, but the event illustrates the real risk posed by improper secret management in code repositories and the permanence of Git history.

Why Are Secrets Hard to Delete?

  • When sensitive information is accidentally committed, developers often try to ‘fix’ the issue by deleting or force-pushing history.
  • Force-pushing only re-aligns the branch pointer; the actual commit still exists and can be retrieved by SHA1 hash or via repository archives like GH Archive.
  • Complete removal typically requires tools like git-filter-repo and manual intervention from GitHub support, including pull request purging and garbage collection.

Exploitation and Tooling

  • Brizinov used GH Archive (which logs all public repo activity in BigQuery) and a custom script to find orphaned commits and search for secrets such as PATs and AWS credentials.
  • The most common leak involved .env files, representing over half of all discovered sensitive disclosures.
  • Other tools, like Truffle Security, automate searching for leaked secrets but are less effective once exposure is public.

Mitigation and Best Practices

  • Immediate Response: Revoke any exposed tokens or credentials and change relevant passwords.
  • Prevention: Use pre-commit hooks (e.g., AWS git-secrets) to scan for sensitive data before pushing.
  • Cleaning History: For actual deletion, employ advanced tools and reach out to platform support for deep clean-up.
  • Awareness: Educate development teams on Git’s immutable nature and on risk factors like GH Archive/other public mirrors.

Further Reading

Staying vigilant with secrets in source control isn’t just best practice—it’s vital to preventing wide-reaching security incidents.

This post appeared first on “DevClass”. Read the entire article here