Large-Scale Exposure Of Orphaned Commits On Major Git Platforms by Kumar Ashwin
Nullcon Goa 2025 · Main Stage
Ashwin Kumar's Nullcon talk, "Large-Scale Exposure Of Orphaned Commits On Major Git Platforms," sheds critical light on a pervasive yet often overlooked security vulnerability: the persistence of sensitive data within **dangling commits** (also known as orphaned commits) on major Git hosting platforms like GitHub. The presentation meticulously details how seemingly "deleted" commits, intended by developers to remove mistakenly pushed secrets or sensitive information, do not truly vanish but remain accessible through specific API interactions. This research is significant because it challenges common misconceptions about Git's deletion mechanisms and exposes a vast attack surface for credential harvesting and intellectual property theft.
AI review
Solid empirical research on a real, underappreciated problem — dangling commits aren't new knowledge, but the at-scale enumeration methodology and the 500K+ live secrets finding give this genuine weight. Competent work that lands somewhere between 'good blog post' and 'conference-worthy research,' depending on how deep the talk actually goes versus how deep this summary makes it sound.