There are several potential employees that a malicious actor could target in an organisation, but what if this was a developer?

Developers have played an essential part in business, and even more so in the future. They generally have quite a significant amount of access within an organisation. For example, they would typically have access to the organisation’s infrastructure as well as other third-party services such as version control platforms. If a malicious actor was to target them and succeed, then this could cause a great deal of damage to the organisation.

So, how could a developer be hacked? Well, being a human, just like you and me, there is the initial factor of the potential of being Socially Engineered. However, for now, I wanted to touch upon something else, which could be quite valuable and is quite simple to perform. What if a malicious actor only required very little information and the use of a search box, how could this be a problem? Well, there is a technique known as ‘Dorking’.

Dorking essentially means using a service’s advanced search feature to discover any sensitive information. As this uses a service’s search feature and doesn’t interact with any of the organisation’s infrastructure, this is a passive activity. This technique was initially discovered and well known with a particular search engine. However, this ability now works on other services, in this case, version control platforms. If public repositories are in use, they can then be searched through to find any sensitive information, even if unintentionally. Such information could be a developer’s credentials, tokens or SSH keys, for example.

Anyone in an organisation could have access to version control platforms used inside the organisation. However, the employees who are the prime candidates for using them are developers. So, there should be a check made before commits are made.

In the next part of this series we will examine some examples of dorking.

Join us in a partnership founded in research, education and execution

Our success is built on protecting our clients’ success. We have a distinguished track record of supporting our clients in building secure by design environments. Our consultants have successfully ushered in new security practices in leading pharmaceutical, energy and retail institutions. Bramfitt has over 50 specialists around the world and we are committed to forging long-term relationships with our clients, providing them with genuine insight and practical advice, and supporting them as they navigate the everchanging security landscape.

Let us be your partner for the next phase of your security journey.

EMEA Headquarters
Tower 42, 25 Old Broad Street London, EC2N 1HN
+44 (0) 208 187 4234
AMER Headquarters
45 Rockefeller Plaza, 20th Floor New York, NY 10111
+1 (800) 468-6046
APAC Headquarters
96 Wanneroo Rd, Yokine WA 6060, Australia
iasme consortium
iasme consortium
cyber essentials
cyber essentials plus
iot security assured
ukas iso 9001ukas iso 27001
Back to top
Get in touch