GitHub Repos Leak Thousands of API, Cryptographic Keys
Ami Rojkes Dombe
| 29/03/2019
https://github.com/
Researchers have found that one of the most popular source code repositories in the world is still housing thousands of publicly accessible encryption keys. Over 100,000 code repositories on source code management site GitHub contain secret access keys that can give attackers privileged access to those repositories (repos) or to online service providers’ services. Researchers at North Carolina State University (NCSU) scanned almost 13% of GitHub’s public repositories over nearly six months, and revealed their findings in this paper.
The credentials that developers routinely publish on their GitHub repos fall into several categories. These include SSH keys, which are digital certificates that automatically unlock online resources. Another is application programming interface (API) keys (also known as tokens). These are digital keys that enable developers to access online services ranging from Twitter to Google Search directly from their programs. The researchers found a mixture of these keys for services including Google, Twitter, Amazon Web Services, Facebook, MailChimp, online telephony service Twilio, and credit card processing companies Stripe, Square, and Braintree.
[Source: nakedsecurity.sophos]
https://github.com/
Researchers have found that one of the most popular source code repositories in the world is still housing thousands of publicly accessible encryption keys. Over 100,000 code repositories on source code management site GitHub contain secret access keys that can give attackers privileged access to those repositories (repos) or to online service providers’ services. Researchers at North Carolina State University (NCSU) scanned almost 13% of GitHub’s public repositories over nearly six months, and revealed their findings in this paper.
The credentials that developers routinely publish on their GitHub repos fall into several categories. These include SSH keys, which are digital certificates that automatically unlock online resources. Another is application programming interface (API) keys (also known as tokens). These are digital keys that enable developers to access online services ranging from Twitter to Google Search directly from their programs. The researchers found a mixture of these keys for services including Google, Twitter, Amazon Web Services, Facebook, MailChimp, online telephony service Twilio, and credit card processing companies Stripe, Square, and Braintree.
[Source: nakedsecurity.sophos]
