GitHub’s search capability remains dark Friday after it was discovered that the code-sharing site’s search feature could be used to dredge up passwords, private crypto keys, and other credentials developers use in their projects.
GitHub is a popular collaboration site for open source software developers, who store and share code with other developers. A message on the GitHub status page read today: “Search remains unavailable. The cluster is recovering slowly and we continue to monitor its progress. Well provide further updates as they become available.”
GitHub released the new search functionality on Wednesday; new searches now return results that include private repository code.
“Under the hood is an Elastic Search cluster that live-indexes your code as you push it up to GitHub. Search results will be returned from public and private repositories that you have access to,” the site says. “To ensure better relevancy, we’re being conservative in what we add to the search index. Repository forks will not be searchable unless the fork has more stars than the parent repository, for example.”
The storm began yesterday when a Twitter user reported finding a SSH password for a major Chinese website’s production server. Soon, a number of searches for RSA keys, SSH passwords and other credentials were circulating on Twitter. The search tool enables users to look into other code repositories stored on the site; some developers apparently were sending private credentials into public files that are searchable. A GitHub representative told Threatpost that the downtime is not related the issue of users putting private information on public repositories.
A number of posts to Twitter indicated people were finding hundreds of search results for RSA keys, configuration files and other valid credentials which if compromised could enable an attacker to impersonate a user or redirect traffic to a malicious site.
While GitHub’s search is inaccessible for now, the publicly stored credentials are still searchable over Google and other search engines.
Users should change any passwords and keys uploaded to GitHub. The site provides guidance on removing sensitive data.
“If you committed a password, change it! If you committed a key, generate a new one. Once the commit has been pushed you should consider the data to be compromised,” GitHub warns.
This article was updated to include comment from GitHub.