The article discusses the different types of GitHub tokens that can be identified using specific keywords, and their potential privileges.
GitHub tokens, personal access tokens, fine-grained personal access tokens, OAuth tokens, and GitHub action tokens each have varying degrees of access.
The critical tokens are those that afford push privileges to private repos, or admin privileges that allow deletion of repos.
The tokens are usually discovered in configuration files such as .env files, and Python scripts, and can be searched for using GitHub’s classic search.
A search for .env files on GitHub with the “ghp_” keyword can reveal many instances of exposed tokens which could potentially be exploited.
The author also shares other search operators for finding various types of tokens within GitHub repositories, and encourages users to validate their own repositories to ensure that they’re not exposing any sensitive access tokens.
The article can be useful for developers and bug bounty hunters looking to identify and mitigate potential security risks associated with GitHub access tokens. P.