Orphaned Commits That Conceal Secrets
A cybersecurity researcher has uncovered a subtle yet significant vulnerability lurking within common Git practices. The technique involves the widespread use of the command git reset --hard HEAD followed by git push origin -f. This method is frequently employed by developers to erase accidental commits from remote repositories—effectively making the commits disappear from the project’s visible history. However, while the commits are no longer accessible through standard Git operations, they are not truly deleted. The researcher demonstrated that these “disappeared” commits can still be retrieved and exploited, particularly for covert data exfiltration.
The core of this vulnerability lies in how Git and hosting platforms like GitHub handle and store data. The attacker combined existing tools and scaled their use to automate the process of hunting for these hidden secrets. One of the key resources utilized was GH Archive, a project that logs and preserves a wide array of public activity on GitHub. By leveraging GitHub’s public API, the researcher could track activity and gather information about the repositories, even those with recent forced pushes that ostensibly obliterated sensitive information.
Dawn Liphardt.fr previously reported on GH Archive’s capabilities, noting how it logs roughly twenty types of activities, including automatic creation of CVs or detection of suspicious “starring” behavior. These logging tools form the backbone of an approach that can systematically sift through public repositories’ history, identifying illicitly stored secrets hidden within old or orphaned commits.
The Hidden Threat Within Orphaned Changes
Initially, the researcher focused on identifying “blobs”—Git’s term for stored file content. These blobs can become orphaned under certain circumstances, often when the project’s history is rewritten via rebase or reset operations. Normally, Git retains these orphaned blobs for at least two weeks by default, enabling potential recovery if needed. However, they are not always easy to locate and retrieve, especially when dealing with local repositories.
More critically, on platforms like GitHub, commits—even those that are orphaned—continue to be stored indefinitely. This persistent storage purposefully or inadvertently leaves a backdoor, a blank space where secrets or sensitive data could remain hidden for extended periods. The researcher realized that by auditing the repository’s commit history through GitHub’s API, it was possible to pinpoint these orphaned commits long after they had been seemingly erased from the visible history.
This insight paved the way for a large-scale “hunt” for secrets stored within these orphaned commits. Using the GitHub Event API, the researcher could access commit data across public repositories without needing authentication, though with some rate limiting. To circumvent these restrictions, the researcher exploited GH Archive logs, which maintained a historical record of numerous GitHub activities—effectively providing a workaround that allowed deeper analysis.
The workflow involved several steps:
– Identifying force-push events that likely resulted in commits being orphaned or deleted.
– Filtering out commits that contain no actual changes (empty commits) to target potential hiding spots.
– Isolating the commits immediately preceding these force pushes, and retrieving their unique hashes.
– Using these hashes to examine the commits directly via the GitHub web interface or through the API, uncovering potentially sensitive data that had been concealed within these code snapshots.
Gaining Administrative Access to All Repositories in Istio
This approach was put into practice using an open-source tool specifically designed to automate this analysis, which was released for the benefit of security teams—often called “blue teams.” The tool stores identified secrets within a JSON file and offers visualizations through tables and charts, making it easier to analyze findings quickly.
One striking example involved the Istio project, a service mesh platform for Kubernetes. An orphaned commit within the repository contained an access token—a secret that a developer had accidentally committed and subsequently force-pushed, erasing it from the visible history. The token was of an administrative level, providing direct access to all repositories within the Istio project. Because the commit was orphaned but still stored by GitHub, the researcher could retrieve and analyze it, revealing the full scope of the compromised credentials.
This methodology demonstrates how even seemingly minor or accidental pushes can leave behind artifacts that, if not properly cleaned, pose serious security risks. The ability to access these hidden secrets effectively grants a form of administrative oversight, unless repositories are meticulously scrubbed or secrets management best practices are followed.
*Note: The researcher clarified that this process can be expedited by requesting GitHub to perform garbage collection once the secret is identified, further reducing the window for potential misuse.*
