GitHub Security – How secure is the popular Git repository hosting service?
If you are a developer, you’re probably familiar with GitHub, a well-known development platform for businesses of all sizes. GitHub is a development platform. It is a web-based hosting service for version control using git, from open source to business, you can host and review code, manage projects, and build software alongside millions of other developers. The platform offers all of the distributed version control and source code management (SCM) functionality of Git as well as adding its own features. It provides access control and several collaboration features such as bug tracking, feature requests, task management, and wikis for every project. GitHub reports having almost 20 million users and 57 million repositories, making it the largest host of source code in the world. Git is a version control system for tracking changes in computer files and coordinating work on those files among multiple people.
Earlier this month, GitHub revealed that bug exposed some plaintext passwords. The company said, a small but unspecified number of GitHub staff could have seen plaintext passwords. Given its popularity, the question that’s rarely ask is, how secure is the platform, anyway? The latest findings from Fidelis Cybersecurity may be able to answer this question. While researching lateral propagation password use in their Deception module, Fidelis Cybersecurity found a surprising number of passwords publicly available. They continued the investigation by pivoting on their findings and uncovered vast caches of passwords. To their surprise, these password lists are publicly available, most likely without the owner’s knowledge or clear understanding.
The research was led by Yishai Gerstle, a security researcher at Fidelis Cybersecurity. Gerstle documented how easy it to find users’ passwords on the GitHub platform. Their findings will shock you. Their findings range from putting credentials in the wild to sharing too much with the GitHub community. Before we get into the summary of their findings, it should be pointed out that in late 2017, GitHub introduced security alerts on its platform. GitHub added a notification capability that notifies developers when it detects a vulnerability in one of their dependencies and then suggest known fixes from the GitHub community.
Below is a summary of their findings. The findings revealed numerous accounts and passwords stored in plain-text including:
- More than 500 Chrome password manager databases, most of them in plain text, unencrypted. In some cases, we found hundreds of such credentials stored by a few GitHub users.
- 100+ Firefox password manager files. While these were encrypted, we could, in many cases, locate the encryption key and easily get to the passwords.
- 250+ Linux password managers based on Gnome-Keyring.
- In some cases, we were even able to remotely discover and validate Linux admin passwords.
“The passwords and credentials that we found could enable access to popular web sites and services, including: PayPal, Facebook, Google, Twitter and Office 365. Credentials were also found for access to corporate web services and university accounts, probably leaked from home computers and smartphones used for business,” Gerstle said.
Gerstle cautioned that the passwords and credentials they found could enable access to popular web sites and services, including: PayPal, Facebook, Google, Twitter and Office 365. “Credentials were also found for access to corporate web services and university accounts, probably leaked from home computers and smartphones used for business.”
Gerstle also shared how easy it is to gain access to the machine password and provided details of the full attack chain for validating the machine password:
- Find login.keyring file in GitHub by search “filename:”login.keyring” path:/.local”
- Search in the user directories of GitHub for the Firefox logins.json file.
- Decrypt the passwords of Firefox.
- Clone and replace the login.keyring to your .local/share/keyrings/.
- Logout from your machine to load the new login.keyring.
- Open the seahorse GUI and unlock the password manager with passwords of Firefox.
- Congratulations, the machine password was found and validated!
- With that we can now view Chrome passwords.
In conclusion, Gerstle shares recommendations on how enterprises can protect themselves. He also provides some general tips for adding layers of protection to their data and network to detect and prevent breaches. You can read the entire post here