GitHub Update Springs Leak

Monday, January 28, 2013 @ 01:01 PM gHale

Just last week GitHub pushed through some major improvements made to its code search engine, but the problem is the new search infrastructure turned out to be even more efficient than expected, revealing the private Secure Shell (SSH) keys of some repositories.

Just one day after the release, users began to notice that SSH keys were easy to find on GitHub. Some users reported the keys found ended up associated with the production server of a major website from China and even ones for the Google Chrome source code repository.

Attack Vector: Faux Apache Modules
Apache CouchDB Fixes Holes
Sybase Fixes Database Holes
Linksys Router Zero Day

Sophos experts have investigated the incident and they said the exposed private SSH keys belong to coders who have generated public/private key pairs for secure communications with GitHub. The programmers mistakenly uploaded their private keys instead of the public ones.

Around 80 search pages of private keys ended up exposed by the incident. GitHub rushed to disable the site’s search functionality.

On the downside, the sensitive information is still available via a simple Google search.

“If you are determined to produce your own key pairs, do yourself a favor and be watchful which one you give out and which one you keep,” said Paul Ducklin, Sophos’s head of technology, Asia Pacific.

The main fault is of the programmers who uploaded their private keys instead of the public ones. However, some experts said GitHub should blacklist some well-known private files such as ~/.ssh and ~/.gnupg.

Ducklin published an advisory which details how you should generate and label SSL keys to avoid such incidents.

In the meantime, the latest update on the issue from GitHub reads: “Search remains unavailable. The cluster is recovering slowly and we continue to monitor its progress. Well provide further updates as they become available.”

Leave a Reply

You must be logged in to post a comment.