Home page logo

funsec logo funsec mailing list archives

Users Scramble as GitHub Search Exposes Passwords, Security Details
From: Jeffrey Walton <noloader () gmail com>
Date: Sun, 27 Jan 2013 21:47:38 -0500

From DG on the cryptography mailing list....


GitHub has temporarily shut down some parts of the site-wide search
update it launched yesterday. As we mentioned in our earlier post, the
new search tools made it much easier to find passwords, private ssh
keys and security tokens stored in GitHub repos.

GitHub hasn’t officially addressed the issue, but it appears to be
blocking some of the security-related searches that were posted
earlier in this Hacker News thread.

GitHub’s status site also says that “search remains unavailable,”
though in my testing searching worked just fine so long as you weren’t
entering words like “RSA,” “password,” “secret_token” or the like.

Most of the passwords and other security data exposed were personal —
typically private ssh keys to someone’s server or a Gmail password —
which is bad enough, but at least one appeared to reveal a password
for an account on Chromium.org, the repository that holds the source
code for Google’s open-source web browser. Another reportedly exposed
an ssh password to a production server of a “major, MAJOR website in

Unfortunately for people that have been storing their private security
credentials in public GitHub repos what GitHub’s search engine
revealed is nothing new. Google long ago indexed that data and a
targeted site:github.com search will turn up the same exposed security
info, which makes GitHub’s temporarily crippled search a token gesture
at best.

If you accidentally stored sensitive data on GitHub the most important
thing to do is change your passwords, keys and tokens. After you’ve
created new security credentials for any exposed servers and accounts
then you can go back and delete your old data from GitHub.

Given that Git, the version control system behind GitHub, is
specifically designed to prevent data from disappearing, deleting your
sensitive data takes more than just the Git command rm. GitHub has
full details on how to get your sensitive data off the site. As
GitHub’s instructions say, “if you committed a password, change it! If
you committed a key, generate a new one. Once the commit has been
pushed you should consider the data to be compromised.”
Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]