25 Jan 2013

Multiple GitHub Projects Expose Private SSH Key


A number of private cryptographic keys associated with GitHub accounts were inadvertently leaked on the web and cached in the Git search engine.

GitHub is a collaboration, review, and code management repository for a huge number of open source or private projects such as the popular Chromium browser, Android-spinoff Cyanogen, Wordpress and the Linux kernel. It’s the place where programmers upload their code source for review or collaboration and, sometimes, other significant information such as – you guessed – private cryptographic keys used to log into these specific accounts.

According to reports on Twitter (including the tweet of StackOverflow co-founder Jeff Atwood), more than 80 pages worth of private RSA keys associated with important projects have been inadvertently uploaded by project owners, even if these should remain strictly in their possession. The leaked keys could be used to log in to the project and change the information at will: add a tiny backdoor to the project, then wait for the code to be downloaded and used in production.

GitHub has removed the entries from the search engine, but, since the repository plays nice with Google, cached keys are still available for users who master advanced Google searches.