A research study by academics of North Carolina State University (NCSU) has shown that certain GitHub repos were leaking API tokens and cryptographic keys.
The study analyzed more than a billion GitHub files which were spread across millions of repositories. The three-member team in the study specifically looked into text strings containing API tokens or cryptographic keys present in different formats.
The big picture
RSA keys found
On top of finding API tokens and cryptography keys, the NCSU team also found over 7000 RSA keys inside OpenVPN config files.
Their analysis showed that most users turned off password authentication and relied on these RSA keys for authorization. This can lead to the possibility of attackers using these keys to infiltrate thousands of private networks.
Resolution in the works
Brad Reaves, Assistant Professor in Department of Computer Science at NCSU, told ZDNet that the study’s results were shared with the GitHub corporate team.
“We have discussed the results with GitHub. They initiated an internal project to detect and notify developers about leaked secrets right around the time we were wrapping up our study. This project was publicly acknowledged in October 2018,” Reaves said.