On January 23, GitHub unveiled major improvements made to the code search engine. However, the new search infrastructure has turned out to be even more efficient than expected, revealing the private Secure Shell (SSH) keys of some repositories.
On Thursday, users began to notice that SSH keys could be easily found on GitHub. Some users reported that the keys they found were associated with the production server of a major website from China and, according to SC Magazine, even ones for the Google Chrome source code repository.
Sophos experts have investigated the incident and they say that the exposed private SSH keys belong to coders who have generated public/private key pairs for secure communications with GitHub. The programmers mistakenly uploaded their private keys instead of the public ones.
Around 80 search pages of private keys have been exposed by the incident. Luckily, GitHub has rushed to disable the site’s search functionality.
On the downside, the sensitive information can still be found via a simple Google search for “site:http://github.com inurl:.ssh/id_rsa.”
“If you are determined to produce your own key pairs, do yourself a favour and be watchful which one you give out and which one you keep,” noted Paul Ducklin, Sophos's head of technology, Asia Pacific.
The main fault is of the programmers who have uploaded their private keys instead of the public ones. However, some experts argue that GitHub should blacklist some well-known private files such as ~/.ssh and ~/.gnupg.
Paul Ducklin has published an interesting advisory which details how SSL keys should be generated and labeled to avoid such incidents.
In the meantime, the latest update on the issue from GitHub reads: “Search remains unavailable. The cluster is recovering slowly and we continue to monitor its progress. Well provide further updates as they become available.”