14 DAY TRIAL // Weak SSH keys associated with GitHub projects, some of them belonging to the UK government, Spotify, Yandex, or Django, have been revoked as a researcher found that they could be cracked and used to tamper with the projects.
Ben Cox, system engineer at CloudFlare, discovered that some of the public SSH keys that can be accessed by any user could be cracked to get secure shell (SSH) access to a GitHub project.
Weak keys and a 7-year-old bug
He started to collect the public keys on December 27, 2014, and on January 9, 2015, the number amounted to almost 1.4 million. Further analysis revealed that about 30% of the GitHub users did not have a SSH key in their account.
Out of the 1,376,262 he found, a number of nine were so weak that breaking them would be trivial with modern hardware. Two of them were 256-bit (crackable in less than one hour, using appropriate tools) and seven were 512-bit, each factorable in a matter of hours.
However, Cox also found that a large amount of users had keys generated with a pseudo random number generator that contained a bug and rendered the results predictable. The vulnerability was discovered in 2008 and was included in the OpenSSL version available in Debian.
Among the GitHub accounts with weak keys were Spotify, Yandex, Couchbase and UK gov with commit access to public and private repos (only those the user had access to) and Python’s core.
Account owners should check their repositories
“It would be safe to assume that due to the low barrier of entry for this, that the users that have bad keys in their accounts should be assumed to be compromised and anything that allowed that key entry may have been hit by an attacker,” Cox says in a blog post.
The engineer reported his findings to GitHub on February 28, and by June 1, all the weak and low quality keys were revoked, with owners receiving a notification via email.