Over 100,000 GitHub Repos Have Leaked API or Cryptographic Keys (zdnet.com) 52
A scan of billions of files from 13 percent of all GitHub public repositories over a period of six months has revealed that over 100,000 repos have leaked API tokens and cryptographic keys, with thousands of new repositories leaking new secrets on a daily basis. From a report: The scan was the object of academic research carried out by a team from the North Carolina State University (NCSU), and the study's results have been shared with GitHub, which acted on the findings to accelerate its work on a new security feature called Token Scanning, currently in beta. The NCSU study is the most comprehensive and in-depth GitHub scan to date and exceeds any previous research of its kind. NCSU academics scanned GitHub accounts for a period of nearly six months, between October 31, 2017, and April 20, 2018, and looked for text strings formatted like API tokens and cryptographic keys.
A "scan and ban" function? (Score:2)
I wonder if GitHub could offer a service where if an API key, be it PGP, SSH, or others, it would automatically disable that item on the relevant repository. This wouldn't stop the best of the best, but it would at least be some remedial security... far better than none.
Re:A "scan and ban" function? (Score:4, Insightful)
I'm interested in the algorithm that you propose that GitHub use to determine whether a 32-character alphanumeric string embedded in the source code is an API key or something else.
Re: (Score:1)
Well it probably wouldn't be a bad idea for it to least issue a warning when you check in ~/.ssh by accident. A lot of these private files should be easily identifiable by path and name if they are not being put there on purpose.
Found the patterns (Score:2)
The featured article is light on details on the patterns used to determine whether a string is "in the format of particular API tokens or cryptographic keys." GitHub's page about "token scanning" [github.com] likewise doesn't say much. A link deeper in the article to "git secrets" by Amazon [github.com] gives regular expressions for Amazon API credentials but not those of other well-known providers. The actual regular expressions used are buried in Table III of a PDF linked near the end of the article.
Fortunately, ZDNet is not paywa
Re: (Score:2)
For starters, you might try compressing stuff and see what's incompressible, and therefore likely random binary data. You can do some sifting for false positives (images by magic number, etc.), and the rest should be a reasonable pile of cryptographic data.
How to distribute client credentials to end users? (Score:3)
Say a desktop or mobile application distributed as free software in source code form acts as a client for some Internet service. How is the application's developer supposed to distribute the required API key to the user's machine without exposing it in the source code? Or is each user of the application supposed to apply for API keys for his or her own copy of the application?
(See also my previous thoughts on the API key matter [slashdot.org])
Re: (Score:2)
The problem then comes when a service requires that users be 13 to use the service but 18 to register as a developer in order to obtain an API key. It means 13 to 17 year olds are required to either use proprietary software or not use the service.
Re: (Score:2)
What kind of weirdo edge case are you making up?
An edge case that has occurred in my own circle of friends. I have relatives who joined Twitter before age 18.
Are you a pedophile?
No.
Re: (Score:2)
Say a million users install an application. Do you think Twitter would appreciate a million requests to register a nearly identical application, differing only by internal timestamps and compiler optimization flags?
Re: (Score:2)
If you're talking about something like ssh, you distribute the public half of the key and not the private half. If you're talking about something like https, you get a cert from one of the official places, and don't distribute it at all (you could make your own cert and distribute the public half, but it's more painful). If you're using a key for user authentication, each user is going to need to generate their own key and you aren't distributing anything.
There are valid reasons to check in a private key
Re: (Score:2)
If you're using a key for user authentication, each user is going to need to generate their own key and you aren't distributing anything.
I'm talking about OAuth, version 1 or 2. The client ID and client secret in OAuth authenticate an application to a service so that the application can receive a session ID representing the user.
Re: (Score:2)
And those are going to need to be generated per-app. Otherwise you aren't authenticating anything.
Re: (Score:2)
But what's an "app"? Is it the executable program built from a particular repository, or a particular installation thereof?
Re: (Score:2)
Take a second to think about this.
If every single install of a program, anywhere on the planet, uses exactly the same identity, how do you know who to let in and who to keep out?
You wouldn't. Which is why you don't give everyone the same identity just because they're running the same executable.
Oh dear (Score:3)
Gee, if only there was some quick and easy way to migrate from GitHub to Sourceforge... Oh wait!
Re: (Score:2)
Re: (Score:2)
Do you actually think leaking keys on Sourceforge better than leaking keys on GitHub, or have I missed a joke somewhere?
Re: (Score:2)
Bad joke on my part. The first thing I always see on Slashdot is a banner advertising "Migrate from GitHub to SourceForge quickly and easily with this tool..", apparently not everybody here is so targeted.
Re:I suspect many are just fake (Score:4, Funny)
NCSU academics scanned GitHub accounts for a period of nearly six months... and looked for text strings formatted like API tokens and cryptographic keys.
Or maybe they were just misidentifying old Perl scripts
Either that or (Score:2)
If this does happen to you it's because you aren't doing code review. If you are solo, then give yourself a quick review by doing a "git add" on each individual file before committing. That gives you a chance to double-check, and you can even do a "git diff" on each file before committing to be extra sure. There are lots of processes you can use to avoid this kind of mis
Re: (Score:2)
Review? As in PR? Too late .. Or did you mean extreme programming pre-push review?
To commit to git, you have two options: you can either commit the files one at a time, or commit them all at once without looking at what you are committing. One of those options leads to mistakes, even if the mistakes aren't as serious as committing a private key.
No one does that
You don't need to, but if you find yourself committing things you shouldn't, then make a chanage in your personal process so that doesn't happen.
Re: (Score:2)
I've been managing developer for many years. You'd probably be amazed how many developers simply blindly commit and pray that someone else set all of the ignore rules up correctly. I have this conversation at least once per month: "Why did you commit X"... "I didn't do that, [git/hg/svn/cvs/tfs] did that." I occasionally get "Why did you deleted Bob's code"... "I didn't, there were no merge conflicts".
Or the worst version of this... "Ohhh, you mean I shouldn't have checked code in that will overwrite the pr
Re: (Score:2)
I occasionally get "Why did you deleted Bob's code"... "I didn't, there were no merge conflicts".
lol "I did 'git push -f' and it worked fine!
Re: Either that or (Score:2)
but (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Yeah, I have several GitHub projects where I've left passwords in the code. The passwords work on a local instance of some API that's exposed on a port that isn't open outside the machine it's on, has NAT without port-forwarding between it and the Internet, and is only running when I turn it on. The passwords, themselves, are randomly generated and not reused on other services, so they don't leak any particular information about my passwords elsewhere. When I put the code into production, I use a different
why is it (Score:2)
Re:why is it (Score:4, Informative)
that every time microsoft gets ownership of something a few weeks or months later some bad shit like this happens, makes me wonder if a lot of this sort of thing is an inside job,
MS didn't force people to upload keys to 100,000 repositories. This is not a MS thing and implying it is is pure flamebait.
Re: (Score:2)
Re: (Score:2)
Were they real keys? (Score:2)
So, it looks like they more-or-less did a regex for things that looked like keys.
How did they know they were "real" keys? If I check in some integration tests, they're going to need a key.....and no one should use that key in anything other than a local integration test. Nor would they expect to since it's in "test" folder only used to build and run tests.
Or you might check in a key to provide an "example" mode with all sorts of warnings about "change this key before production", similar to how many web s
Source Code Or Configuration Files (Score:2)
I guess my question is that are these keys in question in source modules or just configuration files. If they are in configuration files, how do they not know these are just test keys that will then get changed to production values.
How are API keys actually secure at all? (Score:2)
Suppose I write an Android app that uses Google Maps & requires an API key. I dutifully follow Google's instructions, build my app with the key in Strings.xml, compile it, sign it, and publish it to Google Play.
What, exactly, is there to stop someone from obtaining my app through Google Play, ripping it from their phone, deodexing the binary, extracting my API key, then writing THEIR OWN Maps-using app that uses my API key and distributing it to a million users in China (or anywhere else in the world) s