“I built an automation that cloned and scanned thousands of public Github repositories to reveal secrets,” Brisinoff said in a blog post. “For each repository, I recovered deleted files, found dangling spots, and opened the wrapped .pack file to search for exposure (secrets).
Brizinov received a $64,000 vulnerability bounty bonus for discovering dozens of repositories belonging to Fortune 500 companies, a method that leaked hundreds of secrets.
git history keeps files even after deletion
According to the discovery, GIT retains a complete history of change, which means that deleted files and their contents can still be accessed unless they are properly cleared. “Developers usually forget that GIT history keeps everything even after deleting the file from the working directory,” Brizinov noted.
