Bloke clicks GitHub 'commit' button in Visual Studio, gets slapped with $6,500 AWS bill

Oh, did you mean that to be a PRIVATE repository?

By Neil McAllister in San Francisco


A web developer from South Africa said a bug in a tool for using Microsoft's Visual Studio IDE with code-sharing site GitHub inadvertently exposed his sensitive data – and the error cost him more than $6,500 (£4,250) in just a few hours.

Carlo van Wyk of Cape Town–based Humankode said he used the GitHub Extension for Visual Studio 2015 to commit one of his local Git code repositories to a private repository on GitHub.

Unfortunately, however – and unknown to van Wyk at the time – a bug in the extension caused his code to be committed to a public GitHub repository, rather than a private one as he intended.

The extension is developed and maintained by GitHub itself, although it was created with a little help from Microsoft. Van Wyk said in his blog post that both companies have since been in touch with him and the bug has been confirmed and patched.

But that won't help mitigate the fallout of what happened after van Wyk committed his repo.

Within around ten minutes after publishing his code, he received a notification from Amazon Web Services telling him his account had been compromised. He had (somewhat foolishly) included an AWS access key in the code that he had committed to GitHub.

It's not entirely clear what happened next. Van Wyk said he immediately changed his AWS root password, revoked all of his access keys, and created new ones. Nonetheless, within hours the data thieves had managed to sign him up for AWS's Elastic Compute Cluster and fire off more than 20 instances in each EC2 region.

By the time the dust cleared, his AWS account had racked up a bill of $6,484.99.

Such cases aren't new. Miscreants – probably Bitcoin miners, in most cases – have begun routinely trolling public GitHub repositories with bots that search for AWS keys. In van Wyk's case, however, he never expected his repo to be public in the first place.

AWS has not responded to The Reg's request for comment on the matter as we push the big, red "Publish" button on this story.

GitHub, on the other hand, has apologized for the error in its code, describing it as "inexcusable."

GitHub team member Phil Haack added, "As for preventing this in the future, we are trying to take a comprehensive look at the conditions and systems that allowed this happen in the first place and how we can improve those systems to mitigate such issues in the future."

If you'd like to get the patched version of the GitHub Extension for Visual Studio, you can download it here or get it using Visual Studio 2015's internal update mechanism. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Microsoft patched more Malware Protection Engine bugs last week

Redmond's out-of-band advisory landed after the bugs were fixed

Old bugs, new bugs, red bugs … yes, it's Oracle mega-update day again

Out of 284 flaws, 33 are rated critical. Big Red admins have big patches ahead

'DerpTroll' derps into plea deal, admits DDoS attacks on EA, Steam, Sony game servers

Austin Thompson, 23, cops to $95,000 worth of damage

Sophos SafeGuard anything but – thanks to 7 serious security bugs

Your antimalware tools can get malware too, so get updating

Google Play Store spews malware onto 9 million 'Droids

How did these get through the net?

DraftKings rides to court, asks to unmask 10 DDoS suspects

Fantasy sports outfit looks to hunt down group that bombarded its site

Cover your NASes: QNAP acknowledges mystery malware but there's no patch yet

Anti-antivirus root-rooting weirdness just gets deeper

Ever seen printer malware in action? Install this HP Ink patch – or you may find out

Firmware update tackles remote code bugs in InkJet machines

DDoS sueball, felonious fonts, leaky Android file manager, blundering building security, etc etc

Roundup Plus, Safari security foiled by… a finger swipe?

From directory traversal to direct travesty: Crash, hijack, siphon off this TP-Link VPN box via classic exploitable bugs

TL-R600VPN owners, grab and install firmware fixes now