OWASP WrongSecrets

Reddit Blunder

People easily make mistakes. They can, for instance, share an "innocent" piece of data over social media which later turns out to be a secret. Or they can post something on the "wrong screen" and submit it. Additionally, some password managers will happily auto-fill or paste something on any page or screen.

Similarly, a developer in the OWASP community who also happened to be an active redditor, left a secret on the platform 'by mistake'.

Can you find the secret?

🔑 Enter the secret you found: 💡 Tip: Secrets are often strings, numbers, or encoded values. Copy and paste exactly what you find.

💡 Show Hints 🔍 What's Wrong?

This challenge can be solved as follows:

Search for the keyword 'developer' in r/owasp subreddit.
The secret will be in plain sight in a comment on one of the posts found in the posts from step 1.

Why should we not share a secret on social media?

Sharing a secret from your application on social media is a really bad practice because it becomes publicly available for anyone to abuse if they learn about the context in which the secret is used.

Although the user or platform can often delete comments/posts, the secret almost always ends up in some database that could get leaked.

Never share any secrets, personal or work-related, on social media!

🔍 Your Task

Reddit Blunder

Congratulations!