Twitter source on Github (public repo) | Github publishes RSA SSH host keys by mistake
CyberInsights #87 - Two of the most common source code related risks materialise in a week...
Twitter’s source code was made public on Github
Source code leaks affect more than copyrights ©
The bird was free from the cage. At least for a short period.
Twitter requested a takedown of excerpts of its source code from a public library on Github. After the request, the repository was taken down:
According to this article by DarkReading, the public repository contained folders like ‘auth’ and ‘aws-dal-reg-svc’, suggesting the contents might be confidential in nature.
Source code leaks are serious risks. Sometimes, as is possible in this case, they are deliberate, while sometimes they are merely acts of carelessness (“I did not realise I was pushing the code to a public repo”) or stupidity (I wanted to work on the code from home and did not want to raise a ticket)
Source code security is a grave concern for all infosec professionals.
Take Action:
As a part of the risk assessment process, infosec professionals often identify ‘source code’ as a valuable asset — impacting confidentiality (business advantage, etc.), integrity (malicious code in the repo, etc.) & availability (hours and hours of lost coding time). However, they focus very little attention on managing processes around the source code.
What has access to which branch of the repository?
What permissions does the individual have?
How often is this access reviewed?
Can developers push code to public repos?
Review the process of managing access to source code repositories in detail. Create detailed access control matrices and review them often. Setup strong SOPs that contain answers to the above questions.
Github inadvertently publishes SSH key
Publishing private keys on public repos is so common that Github has a service for scanning repos for secrets.
Private keys are liberally strewn across Github. So much so, that Github has a service around it. It’s a pity that they published their own private keys 🤣.
It’s one of those oops moments that gets you to burst out laughing before you get serious. Imagine — Github publishes its SSH private key on a repo on, wait for it, Github.
Getting serious, private keys being made public is a risk that organisation’s should consider seriously.
Take Action:
Check if your dev team has a mechanism to detect inadvertent publishing of private keys. This is possible during various stages of the application development process:
During development, a SAST tool can check for hardcoded passwords, keys, etc.
During the testing stage, DAST tools can check for exposed secrets in sessions, urls, etc.
In your code repo environment tools can check for public secrets.
In your storage infrastructure (like cloud storage, etc.), configuration scanning can tell you about public storage with exposed secrets.
