Security

This article is more than 1 year old

Compromised SSH keys used to access Spotify, UK Govt GitHub repos

CloudFlare bod gobbles 1.4 million public keys

Wed 3 Jun 2015 // 07:30 UTC

CloudFlare engineer Ben Cox says the official Github repositories of the UK Government, Spotify, and Python were accessed using likely compromised SSH keys.

Cox says the keys revoked this month are subject to a compromised Debian OpenSSL random number generator seed discovered and fixed in early 2008.

The security bod discovered the vulnerable keys in the hands of users with commit access to high profile respositories after he scraped some 1.4 million SSH keys from Github.

“I used g0tmi1k’s set of keys to compare against what I had in my database, and found a very large amount of users who are still using vulnerable keys, and even worse, have commit access to some really large and wide projects,” Cox says.

“The most scary part of this is that anyone could have just looped through all of these keys just trying to SSH into GitHub to see the banner it gives.

“It would be safe to assume that due to the low barrier of entry for this, that the users that have bad keys in their accounts should be assumed to be compromised and anything that allowed that key entry may have been hit by an attacker.”

The risk is that attackers could locate and crack the affected keys and a handful of others that used weak key strengths to insert malcode into popular projects.

Cox has not attempted to gain access to the compromised repositories.

Affected projects include:

Spotify’s public repos (and any private repos those employees had access to)
Yandex’s public repos (and any private repos the person had access to)
Crypto libraries to Python
Django
Python’s core
gov.uk public repos (and any private repos the person had access to)
Couchbase (and any private repos the person had access to)
A ruby gem that is used on a large amount of CI systems (compromise of that, means compromise of your build server, and possibly your internal network)

Github acknowledged the security risk but says it is a user security issue and not something which would qualify for its bug bounty program.

Cox says that response was acceptable but adds Github should do more to stop users hurting themselves.

Topics

Special Features

Vendor Voice

Resources

Security

Compromised SSH keys used to access Spotify, UK Govt GitHub repos

CloudFlare bod gobbles 1.4 million public keys

More about

More about

Narrower topics

More about

More about

More about

Narrower topics

TIP US OFF

Other stories you might like

Sleuths who cracked Zodiac Killer's cipher thank the crowd

Microsoft squashes SmartScreen security bypass bug exploited in the wild

US government excoriates Microsoft for 'avoidable errors' but keeps paying for its products

A different view from the edge

OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories

It's 2024 and Intel silicon is still haunted by data-spilling Spectre

H-1B visa fraud alive and well amid efforts to crack down on abuse

Japanese government rejects Yahoo! infosec improvement plan

Fire in the Cisco! Networking giant's Duo MFA message logs stolen in phish attack

Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online

Zero-day exploited right now in Palo Alto Networks' GlobalProtect gateways

French issue alerte rouge after local governments knocked offline by cyber attack

About Us

Our Websites

Your Privacy