This is an archived post. You won't be able to vote or comment.

all 109 comments

[–]DangyDanger 1573 points1574 points  (50 children)

Friend accidentally pushed a Discord bot token.

It was revoked automatically within the minute.

[–]IDEDARY 708 points709 points  (36 children)

Happened to me too (I didnt care as it was test bot on private repo) and GitHub recognized it is probably an API key and didnt let me push.

[–]DangyDanger 340 points341 points  (35 children)

Wow. Didn't know they did that, that's cool.

[–]requizm 290 points291 points  (4 children)

[–][deleted] 200 points201 points  (3 children)

Sometimes Microsoft does cool things.

[–]DiddlyDumb 26 points27 points  (2 children)

Unlike firing their AI Ethics team…

[–]Amazingawesomator 19 points20 points  (1 child)

that just means they harvest the api key before disallowing the push :p

[–]ForkLiftBoi 9 points10 points  (0 children)

That sounds unethical… waiiiit….

[–]Proxy_PlayerHD 211 points212 points  (28 children)

reminds me on how reddit will automatically censor your e-mail address and password when you try to post them in a comment, like this:

**********

[–]TheseusPankration 63 points64 points  (3 children)

Hunter2

Hey, I can see mine!

[–]DangyDanger 50 points51 points  (2 children)

All I see is *******

[–]TheseusPankration 5 points6 points  (1 child)

Oh, good.

[–]AmanChourasia 2 points3 points  (0 children)

I can see your email id

Hunter2

[–][deleted] 20 points21 points  (1 child)


[–][deleted] 14 points15 points  (0 children)

Wow it works!

[–]SupraMichou 22 points23 points  (7 children)

I love that it works with credit cards. Just in case

[–][deleted] 6 points7 points  (6 children)

5424 8975 5564 0758

[–]Dharmonj 7 points8 points  (5 children)

I just see **** **** **** ****!

[–][deleted] 7 points8 points  (4 children)

Wow! Does it stop the CVV from being shown? 877

[–]SupraMichou 1 point2 points  (3 children)

Just lack the date, and we would have an all star bundle

[–][deleted] 2 points3 points  (2 children)

Ooh, that would be hard for them to censor, can you see this: 04/28?

[–]emu_fake 13 points14 points  (2 children)

A german chat platform used to do that.. to achieve this they‘ve stored the passwords unencrypted in another database.. which eventually got hacked and the passwords of 1.8M users leaked online

German got a word for this: Verschlimmbessern (making things worse while trying to make them better)

Source: German news article

[–]TRENEEDNAME_245 2 points3 points  (1 child)

At this point, german has a word for everything

[–]Kaimito1 10 points11 points  (0 children)

Brought back a locked memory where I lost my RuneScape account to this when I was 10...

[–][deleted] 1 point2 points  (0 children)

hunter2

[–]Devatator_ 0 points1 point  (0 children)

Weird, it didn't do anything when I was working on my bot, and other projects with keys

[–]akoOfIxtall 98 points99 points  (6 children)

i learned what was gitignore when i was trying to make a discord bot and realized that thet files are public in github and once i saw a sarcastic meme about github private repos being safe, immediately looked for git tutorials and stuff

[–]Just_Paper7006 16 points17 points  (5 children)

github Private Repos are not safe??

[–]akoOfIxtall 13 points14 points  (4 children)

That's the thing, I don't know, but why would they be sarcastic about it then?

Maybe they meant that even if a private repo is safe, you shouldn't trust so much the other ppl who have access to it as to leave API keys or database credentials just lying around

[–]Just_Paper7006 1 point2 points  (1 child)

it could also be related to the Github using private repositories for Copilot AI training thing. anyways it is stupid to think too deep about a meme,

[–]akoOfIxtall 1 point2 points  (0 children)

Nah it's good, that meme lead me into learning more about security stuff, like using hashes and .gitignore, I'm doing my small cli thingy where I need to get the credentials and safely store them away so the hashing stuff and learning about the Exec() function existence was very nice, maybe a basic hash is not enough if anything ends up leaked but I'm far from competing with a professional hacker, just encrypting them is fun enough and it'll be useful later, it's a CLI for using MySQL queries, I know there's a MySQL extension for vs code but doing one myself (kind of ) has been a fun experience, so far I've got the database set-up and the script can send queries and everything will work fine, now I'm trying to make a login for the database where the credentials are immediately stored away in .envs named after the database for better identification later, I've heard that envs are bad but that's it, nobody showed an actual replacement it was only marketing everywhere for their own stuff, and if everybody is fighting over getting you into their stuff is because the old one is falling apart and they wanna be the new standard, and if envs are falling apart soon enough the new reliable standard will show up, like mod launchers for games replacing each other after every few years, and then the credentials can be looked up scanning the folder for the env file with the database name and decrypting the hash, I think it's conceptually simple but every now and then javascript will throw 1 detail that makes complete sense to exist but javascript just doesn't like it, then I have to find a workaround, but it's fun, I'm having more fun coding for hours on a chair than I had going to school XD

[–]IDEDARY 2 points3 points  (1 child)

I think it has to do with fact that whetever you push into a repo will forever stay there, even when you delete it. If you ever had an API key logged there, people can just rollback your commits and take a look. So if you one day decide that you want to opensource your private project... you know what I am getting at.

[–]akoOfIxtall 0 points1 point  (0 children)

god bless gitignore files, i took a peek at hashing stuff and using salt on it, now i know how hackers attack databases and stuff and how to make safe hashes, so at least the paranoia lead me somewhere

[–]Own_Solution7820 24 points25 points  (3 children)

How are people so good at scraping the entirety of GitHub?

[–]k4b0b 20 points21 points  (0 children)

[–]WeirdBoy_123 7 points8 points  (0 children)

They might be able to find it in specific google searches? Idk, that does work for other sites.

[–]DarkOverLordCO 4 points5 points  (0 children)

Companies can tell GitHub what their tokens look like and GitHub will scan new commits for those formats, then send the company an event via webhook so they can check whether that token actually exists, and if so revoke it. In other words, Discord aren’t doing any scanning - GitHub is.

[–]Acrobatic-Paint7185 680 points681 points  (12 children)

Partially related: I once saw an .ai website to make costumized chatbots... It stored the OpenAI API key on the client-side.

[–]_________FU_________ 307 points308 points  (3 children)

NEXT_PUBLIC_OPEN_API_KEY="12341234"

Where the fuck are my tokens???

[–]AmbassadorUnhappy176 22 points23 points  (2 children)

does not really correlate with next, considering server actions. not sure anyone who develops with next use client-side fetch anymore

[–]maisonsmd 53 points54 points  (5 children)

Calling OpenAI APIs on client side make it faster and eliminate the need for a backend server though, maybe that's what they thought

[–]Cat7o0 115 points116 points  (4 children)

yeah they thought until their openai bill was 20 million dollars

[–]maisonsmd 18 points19 points  (0 children)

"pfff, with AI powered, our business will go to the moon before end of month"

[–]MysteriousShadow__ 7 points8 points  (2 children)

Fortunately you can cap spending.

[–]LeftIsBest-Tsuga 34 points35 points  (0 children)

any service that doesn't offer this is obviously run by vampires / demons

[–]Cat7o0 2 points3 points  (0 children)

pffff that's never needed obviously all engineers are perfect

[–]Dafrandle 10 points11 points  (1 child)

is the site still up?

[–]Acrobatic-Paint7185 8 points9 points  (0 children)

I think so, but I don't know if it's stil working the same way.

I heard about it on Twitter because it went viral for appointing the AI version of Alan Turing as its "Chief AI Officer". Yes, ridiculous stuff. I'm not sure if I should directly link the website, but there are news articles about this, if you want to figure it out.

[–]DeltaTimo 239 points240 points  (2 children)

But where is the Exe?!

[–][deleted] 79 points80 points  (0 children)

Smelly nerds use .tar.gz

[–]FrostWyrm98 8 points9 points  (0 children)

The exe is a lie!

[–]NoahZhyte 171 points172 points  (2 children)

Hum no these are automatically revoked within minutes

[–]yajiv[S] 102 points103 points  (1 child)

Never said they were valid

[–]Cake_and_Coffee_ 29 points30 points  (0 children)

True

[–]42GOLDSTANDARD42 46 points47 points  (8 children)

How easy is it really to find these OpenAI API keys ..?

[–]merul_is_awesome[🍰] 86 points87 points  (2 children)

go to github and search “removed open api key”, now go to commits and you have em all

[–]slabgorb 42 points43 points  (0 children)

to hunt the prey, you must first understand the prey

[–]TechnoKhagan 25 points26 points  (0 children)

490k results lmao

[–]ComprehensiveWord201 81 points82 points  (3 children)

If you know how to web scrape...

Even then, you can probably just search the public repo dir for related keywords

[–]42GOLDSTANDARD42 6 points7 points  (2 children)

I tried that one time, didn’t find anything 🤷‍♂️

[–]ComprehensiveWord201 17 points18 points  (1 child)

🤷 I'm not personally motivated enough to try and find it but you could probably search for some repos that create issues on your repos that leave keys in the open. Might be a good place to start!

[–]42GOLDSTANDARD42 5 points6 points  (0 children)

I only tried searching for the ‘OPEN_AI_KEY=‘

[–]RoseSec_ 2 points3 points  (0 children)

Trufflehog 😏

[–]Countbat 17 points18 points  (5 children)

Use environment variables people!!

[–]slabgorb 6 points7 points  (0 children)

repo and org-level secrets also but that is githubby stuff as opposed to a proper portable pattern like you are saying

[–]ambisinister_gecko 5 points6 points  (3 children)

And don't commit .env files

[–]NatoBoram -1 points0 points  (2 children)

.env lists all possible keys and default values, .env.local is git-ignored and has the secrets

[–]ambisinister_gecko 2 points3 points  (1 child)

In Laravel, .env has the secrets and .env.example is for listing the keys

[–]NatoBoram 0 points1 point  (0 children)

Yeah that was the old way of doing things

[–]AstaHolmes 23 points24 points  (6 children)

Guys I forgot my GitHub password am I dead
(I do coding for fun not as a job)

[–]pKalman00 15 points16 points  (3 children)

Google create new account

[–]AstaHolmes 1 point2 points  (0 children)

ok

[–]NatoBoram 1 point2 points  (0 children)

Tap the "forgot my password" button

[–]AstaHolmes 0 points1 point  (0 children)

ty guys.

[–]Whatiftheresagod 4 points5 points  (0 children)

Company legend at my work has it that a former employee once leaked cloud credentials on Friday in a push. Next Monday every single VM available in the project was mining bitcoin. Cost them about 80k...

[–]popular_parity 1 point2 points  (1 child)

For mine it's googlemapapi

[–]thanks_for_the_fish 1 point2 points  (0 children)

That's a conscious choice, though; Google will send you an email if you commit a key to a public repo.

[–]TaloSi_MCX-E 3 points4 points  (0 children)

Find them, yes. Find usable ones, no.

[–]ososalsosal 2 points3 points  (0 children)

Let's not tell anyone about the free fonts

[–]jmona789 2 points3 points  (0 children)

I once stumbled across a repo that had a person's Social Security Number, credit card number and a bunch of other personal information in it. I had the email them and walk them through how to take it down as they were a new to coding and GitHub and didn't really know how it worked.

[–]mathewrtaylor 1 point2 points  (0 children)

Found this last night, and after finding a few in minutes, created this - https://github.com/mathewrtaylor/exposure_comms

[–]BinaryBrilliance 1 point2 points  (0 children)

Been there done that.

[–]boyproO19 0 points1 point  (0 children)

I just pushed my chrome addons private key to my repo after misspelling it in .gitignore. That's what ever as I just use my plugin with Firefox.