Pushing Internal Data To Repo - An Anecdote
Wanted to tell a quick story of one of the close calls I have had working in Security over the years.
A lot of times people only talk about their highlights or their accomplishments. But it is a good exercise to learn from our mistakes.
I have a running list of notes I keep on my work laptop. Think things like glossary type definitions to different tools, short code snippets, and more that I can use regardless of the situation.
One day I was working on Github and I pushed this notes file unintentionally. This normally wouldn’t be an issue if there is no internal data within it, after all it’s just general notes.
The problem was there was an internal webhook in the file. Webhooks are “always on” listeners that will deliver data when a specified action occurs. Think of a Typeform or Slack notification. A couple days later I was notified of this problem, I double checked the github push and sure enough there was the webhook.
We start an incident and remediation begins.
Due to the way github works (version control of everything ever checked in to the repo), simply removing this file is not good enough from a security and privacy standpoint. As the secret will remain in git history. I ended up using the git filter-repo tool to address this.
See Removing Sensitive Data From A Repository for more on this.
What this tool does is remove the specified file, any commits referencing the file and rewrite history. Making it seem as if the mistake never happened. In the end, I was able to fix the incident and learn how to use a new tool while at it.
“I either win or learn” - Nelson Mandela
I like to go by the adage of “I either win or learn”, and this was definitely a learning experience. Although this should not have happened, we can only learn from our mistakes and move forward. I think we can all take some time and remember moments where we really learned through adverse experiences and came out better because of it.
Whether we learn from preparing for interviews, hands on CTF’s or our own reflection, there are always takeaways for us to come back better.
I hope this helps you in your learning journey!