The Hacker News Logo
Subscribe to Newsletter

Hundreds of SSH Private Keys exposed via GitHub Search

GitHub is a source code repository which lets developers work on programs together as a team, even when they are in different locations. Each repository on the site is a public folder designed to hold the software code that a developer is working on.

This Tuesday GitHub announced a major upgrades to the site's search engine, "Finding great code on GitHub just got a whole lot easier,". Yesterday few twitter users pointed out that there is no shortage of embedded private SSH keys and passwords that can easily be found via GitHub new feature.


If you upload security information (keys/passwords etc) to a public repository, new search feature will allow anyone to find them.

Today, GitHub's search function stopped working, though the site didn't acknowledge the cause. Updated message is "Search remains unavailable. The cluster is recovering slowly and we continue to monitor its progress. We'll provide further updates as they become available."

Lots of credentials was available in public using following sample search keywords:
  • extension:key BEGIN RSA PRIVATE KEY
  • size:>1 path:.ssh/id_rsa
  • size:>1 path:.gnupg/secring.gpg
Other types of sensitive keys were also in danger, including private keys created for encrypting email and other communications using services like GNUPG.

You can also find similar results using Google search also as shown.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.