Open-Source Secret Scanner Exposes Crypto Phishing Site's Own Firebase Keys

A developer benchmarking Sentinel, a newly released open-source Git secret scanner written in Go, stumbled upon a phishing site impersonating Tether (USDT) while scanning random GitHub repositories. The scammer had hardcoded Firebase credentials — including an API key and project ID — directly into their code, leaving them fully exposed. The linked Vercel deployment revealed a fake Tether login page designed to steal cryptocurrency wallet credentials, even prompting users to authenticate via Spotify. The developer publicly posted the exposed keys in a GitHub Issue on the scammer's own repository, drawing attention to the vulnerability and getting the Firebase project flagged. The incident highlights growing risks tied to AI-generated code, where developers and bad actors alike often fail to properly manage sensitive credentials like API keys.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.


Discussion (0)
Log in to join the discussion and vote.
Log in