wiredmikey writes "GitHub's new internal search has made it easy to uncover passwords, encryption keys, and other security missteps in software development projects that are hosted on the site. GitHub announced its internal search on Jan.23, which lets users search for any string through public and private repositories they have access to.
Some users discovered yet another way to use the search tool: finding files containing private encryption keys and source code with login credentials. Scarily enough, there were thousands of them.
Searching on id_rsa, a file which contains the private key for SSH logins, returned over 600 results. Other developers had hardcoded passwords for privileged user accounts, such as root, sa, and admin.
"With a simple script or tool, external hackers or malicious insiders can quickly discover these lost keys and use them to gain access to critical information assets," Jason Thompson, director of global marketing, SSH Communications Security said. "If the key grants a high level of administrative access, such as root, the potential threat to the business grows exponentially.
To be clear, GitHub is not at fault, since the company is just a hosting service. It just stores whatever files the developer wants to save. The search engine is not accidentally leaking confidential information. The data was already saved on GitHub, it is just making it easier for someone to find these mistakes.
Developers should note that GitHub has a Help page on how to make sure sensitive data is not saved to the repository."
Link to Original Source