Github repositories for projects could end up compromised and used to deliver malicious code because of the owners’ use of SSH keys.
GitHub is a web-based Git repository hosting service, which offers all of the distributed revision control and source code management (SCM) functionality of Git as well as adding its own features. Unlike Git, which is strictly a command-line tool, GitHub provides a web-based graphical interface and desktop as well as mobile integration. It also provides access control and several collaboration features such as wikis, task management, and bug tracking and feature requests for every project.
“A little known feature of GitHub is the ability to look at the public SSH keys that other users have set to be authorized on their account,” software developer Ben Cartwright-Cox said in a blog post.
“This is a great debugging feature and in addition a great way to share SSH public keys. However one of the other side effects of this is that it means that everyone can see your public keys, and if someone cares enough, collect a massive database of everyone’s SSH keys.”
Cartwright-Cox first tried looking for SSH keys two years ago and found most users did not use them. But he tried again later on and ended up collecting 1.38 million keys, and started analyzing them.
He found some that were easy to beat (contained an insufficient number of bits), including a number of keys created by using a flawed random number generator originally contained in Debian, which for a few years returned one of 32,767 keys.
When Cartwright-Cox contacted GitHub about this matter in March, he discovered there are many other repos that used weak keys. In early May GitHub revoked the Debian-created weak keys and sent out emails to repo admins to create new ones. A month later, they did the same with accounts using other weak and low quality keys.
“If you have just/as of late gotten an email about your keys being revoked, this is because of me, and if you have, you should really go through and make sure that no one has done anything terrible to you, since you have opened yourself to people doing very mean things to you for what is most likely a very long time,” Cartwright-Cox started off his blog.