GitHub key leaks and how to prevent them

[harlan4096]

Recently, researchers at North Carolina State University discovered more than 100,000 projects on GitHub with tokens, cryptographic keys, and other confidential data stored in open form. In total, more than half a million such objects were found in the public domain, of which more than 200,000 are unique. What’s more, the tokens were issued by major companies such as Google, Amazon MWS, Twitter, Facebook, MailChimp, MailGun, Stripe, Twilio, Square, Braintree, and Picatic.

GitHub is a popular resource for cooperative software development. It is used for storing code in repositories with open or restricted access, linking with colleagues, involving them in program testing, and using ready-made open-source developments. It greatly simplifies and speeds up the creation of apps and services, so many programmers are happy to use it. Companies that create their software based on open-source modules use it actively. In addition to that, companies that want to be transparent frequently use it.

However, special care should be taken when uploading code to GitHub — advice that some developers do not always follow.

What data got into the public domain

GitHub was found to be hosting blocks of openly available code containing tokens and keys sufficient to pass authorization and perform certain actions on behalf of users or apps. Among this unwittingly declassified information were:

* Login credentials for administrator accounts on major websites,

* API keys or tokens enabling the use of in-app API functions — a set of tools for interaction between various system components, for example, a program and a website,

* Cryptographic keys, many of which are used for authentication instead of a password, not in combination with one, so knowing only one key is enough to gain access to many resources, including private networks.  

Continue Reading