The Code Sharing Conundrum

9 hours. That’s all it took for an AWS access key exposed on Pastebin to fall into the wrong hands. On JSFiddle and GitHub Gist, secrets lasted longer—but don’t mistake delay for safety. When secrets end up on these platforms, it’s not just a matter of if they’ll be exploited but when.

This is the third installment in our series exploring how attackers exploit exposed secrets. If you’re just joining us, start with our Prelude to understand the stakes. We’ve already explored GitHub and GitLab and Package Managers. Today, we’ll turn our attention to code sharing platforms—essential tools that, in reality, often operate as security black holes.

The Unseen Blind Spot

Secrets leak—it’s a fact of life in modern development. That’s why companies invest in secret scanning tools to monitor repositories and prevent mishaps. But when developers share code snippets outside of those repositories—whether it’s troubleshooting on forums, showcasing work, or collaborating informally—companies have no way to detect or control what’s exposed.

Imagine your office has high-tech security cameras watching every door and window, but your employees sometimes hold meetings in the parking lot, completely outside the cameras’ view. It’s not negligence—it’s practicality. Developers can’t avoid sharing code; it’s how work gets done. But when they do, even the best tools can’t keep up, leaving organizations entirely blind to what’s happening.

Scenarios

In the table below, we have listed all the scenarios we executed across popular code snippets and sharing websites. We wanted to see if any specific forum or community is more susceptible than others to being scanned by attackers.

WebsiteScenario NameDescription
Fiddle FumblePlaced an AWS access key in a public JSFiddle snippet.
Lucky GistExposed an AWS access key in a public GitHub Gist.
Is Private Really Private?Added an AWS access key to a private GitHub Gist.
At Your Own PasteCreated a Pastebin snippet containing an AWS access key.

Results

Here’s what we found:

  • Pastebin: Exploitation occurred in just 9 hours, demonstrating that even obscure pastes are eventually discovered, and in less than 24 hours.
  • GitHub Gist (Public): While detection by GitHub’s secret scanning tools was swift (within minutes), exploitation occurred after 5 days.
  • JSFiddle: Similarly, an AWS key left in a snippet remained safe for 5 days before attackers pounced.

Interestingly, secrets hidden in Private Gists weren’t touched. But this isn’t cause for relief—these Gists are only “private” because they don’t show up in search results. If someone stumbles across the URL, the secret is just as vulnerable. And interestingly, AWS itself sent no alert for the leak, demonstrating that GitHub isn’t scanning Private Gists, even though nothing is really private about them.

PlatformScenarioTime to ExploitTime to Alert ⚠️
Fiddle Fumble5 daysNo Alert Sent
Lucky Gist5 days3 minutes
Is Private Really Private?No exploitationNo Alert Sent
At Your Own Paste9 hoursNo Alert Sent

“Hold Up, Wait a Minute”: Don’t Mistake Delay for Safety

The relatively long exploitation times compared to repositories don’t make these platforms safe. The reality is that most enterprises won’t even know a secret has been leaked here. The platforms aren’t integrated with enterprise-grade secret scanning tools, and monitoring code snippets shared externally is impossible without intrusive measures. That 9 hours—or even 5 days—means nothing when you’re completely unaware the clock has even started.

When detection depends entirely on developer diligence, it’s like relying on someone to not spill coffee in a room with white carpets. Mistakes will happen, and organizations must stop pretending otherwise.

Sharing Is Caring : Exploring The Scenarios

JSFiddle Scenarios

Fiddle Fumble

We put a secret in JSFiddle, we were curious to see if someone might pick this up. It took a bit of time, but ultimately we weren’t surprised that someone got to it.

Exploited?Exploitation TimeAlert Time
Yes5 daysNo alert sent

Our estimation is that JSFiddle is scanned, though on a less frequent basis than platforms like Docker Hub and GitHub, since it took 5 days for our Fiddle to be found.

GitHub Gist Scenarios

Lucky Gist

We exposed a secret in a public GitHub Gist, and were curious to see if it would be picked up. We had to wait a while, but it was picked up eventually.

Exploited?Exploitation TimeAlert Time
Yes5 days3 minutes

GitHub Gists are probably scanned continuously by attackers, though with less frequency than other more prominent places where keys might be exposed, since it took 5 days for our public Gist to be found and for the key to be exploited.

Is Private Really Private?

We then exposed a secret in a private GitHub Gist. The difference between public and private Gists is that while public Gists show up in Discover, private Gists don’t. However, anyone who has the URL of a private Gist can access it.

Exploited?Exploitation TimeAlert Time
NoNo exploitationNo alert sent

We were relieved to see that no scanner was able to pick up the keys in our private Gist. So, if you accidentally leak secrets on a Gist, you’d best hope it’s a private one. According to GitHub's documentation, they scan content in commits, pull requests, issues, discussions, and even Gist content and comments—but likely only for public Gists.

We opened a ticket with GitHub support to inquire about why private Gists are not scanned. Despite the term 'private,' there’s nothing truly private about a private Gist; the only 'private' aspect is the URL itself, with no access control. Anyone attempting to enumerate Gist URLs could still discover it.

Pastebin Scenarios

At Your Own Paste

We decided to do what many would avoid because they know it’s unsafe: we created a Pastebin snippet with an AWS access key to see how quickly attackers would find it, knowing it was only a matter of time.

Exploited?Exploitation TimeAlert Time
Yes9 hoursNo alert sent

We were actually surprised to find that it took a few hours for scanners to locate and use the secret.

What’s Next

Code sharing platforms are a blunt reminder of the limitations beyond traditional secret management. In our next post, we’ll explore developer forums like Stack Overflow and Reddit—places where secrets can linger as well, waiting to be weaponized.

If you can’t wait for the next blog post, we invite you to download the full report, with all scenarios we ran, a deeper dive into our methodologies, platform-specific insights, attacker behavior patterns, and the tool we built to neutralize exposed secrets instantly. It’s an essential read for any organization looking to secure its systems against the escalating risks of exposed secrets.