Comment by beezlewax
2 years ago
There's a whole section here about how to brute force the hashs. You don't even need the full hash... just a shortened version using the first few chars.
2 years ago
There's a whole section here about how to brute force the hashs. You don't even need the full hash... just a shortened version using the first few chars.
I'm dubious. Searching for globally unique commit IDs is still a least a million+ request operation. That's easy enough in a cryptographic sense but the attack in question requires banging a web UI, which is 100% for sure going to hit some abuse detector. I really don't think you can do this in practice, and the article certainly doesn't demonstrate it.
They released a tool to do this in a followup post: https://trufflesecurity.com/blog/trufflehog-now-finds-all-de...