Feeds

Silly gits upload private crypto keys to public GitHub projects

Amazing what you can find searching for 'BEGIN RSA PRIVATE KEY'

Next gen security for virtualised datacentres

Scores of programmers uploaded their private cryptographic keys to public source-code repositories on GitHub, exposing their login credentials to world+dog. The discovery was made just before the website hit the kill switch on its search engine or, more likely, the service collapsed under the weight of curious users trawling for the sensitive data.

The ability to search for private Secure Shell (SSH) keys on the popular open-source code haven came to light yesterday in tweets and other messages on social networks. At least some of the credentials can still be found using Google and other external web crawlers.

GitHub has more than 2 million users but only a minuscule proportion made the daft mistake of uploading their private instead of just their public crypto keys. Private keys reportedly exposed included the SSH login for a major website in China.

The snafu could allow anyone to surreptitiously log into affected developers' GitHub accounts to alter their projects and gain access to any other online services that use their leaked keys.

The website improved and revamped its search functionality on Wednesday, an improvement that probably enabled the ability to find .ssh/ files.

Some security watchers commented that GitHub could have prevented users uploading private crypto keys with well-chosen filter - for example blocking public uploads of ~/.ssh/ and ~/.gnupg data - but that doesn't excuse developers for doing something so silly.

Those exposed by the blunder should replace their compromised keys sooner rather than later. SSH, in simple terms, is typically used to provide encrypted access over the net to accounts on Unix-style operating systems.

A blog post by Sophos on the incident, illustrated by screenshots and private and public SSH keys, can be found here.

GitHub's status page showed its search functionality was unavailable, implying that this was due to a minor system failure rather than a deliberate move to minimise harm. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.