BOOK THIS SPACE FOR AD
ARTICLE ADCharlie Osborne 12 April 2022 at 09:59 UTC
Third version of the open source software comes with significant upgrades
The newest version of TruffleHog has landed with support for more than 600 key types, furthering the tool’s ability to hunt for credential leaks.
Leaked credentials, including secret key pairs, are a serious cybersecurity issue. Keys can be abused to compromise enterprise networks, often more covertly and for longer time periods than the exploit of vulnerabilities in popular software.
Available on GitHub, TruffleHog is an open source project tool for discovering keys leaked via JavaScript or too-permissive CORS settings in APIs.
BACKGROUND Meet TruffleHog – a browser extension for finding secret keys in JavaScript code
The system can alert developers or researchers when websites or front-end applications are accidentally leaking keys. TruffleHog can also be used to find exposed .git repository credentials.
On April 4, Truffle Security co-founder Dylan Ayrey said in a blog post that TruffleHog is now entering its third phase with many improvements, including verification and enhanced key volume.
In December, Truffle Security raised $14 million in a Series A investment round. These funds have been used to improve the software – and Ayrey says that TruffleHog “is faster, detects 10x more secrets, and automatically validates 100% of the secrets it supports with dynamic checks”.
The most significant change is a new verification step. API calls can now be made to vendors who provide keys to validate a newly-discovered key. Secret detectors are also now preflighted to boost TruffleHog’s performance and runtime speed.
Read more of the latest news about open source software
In addition, 639 key types are now supported, including AWS, Azure, Confluent, Facebook, and GitHub.
“We do not know of another secrets scanning engine that supports this many key types, let alone the verification, and the fact they’re all now open source,” Ayrey commented.
TruffleHog’s story began in 2017. Ayrey wrote the script to quickly find leaked API keys and secrets in Git source code, with the overall purpose of bug bounty submissions.
The code was published as an open source project. Its popularity led Ayrey, alongside Dustin Decker and Julian Dunning, to leave their jobs to focus full-time on Truffle Security and credential leakage tools.
Truffle Security has since released the TruffleHog Chrome extension, alongside Driftwood, open source software for discovering leaked, paired private, and public keys.
The Daily Swig has reached out to Truffle Security and we will update when we hear back.
YOU MAY ALSO LIKE Access control vulnerability in Easy!Appointments platform exposed sensitive personal data