Github is a powerful and popular collaborative tool for open source and private development projects. It is a favorite repository of open source developers. Last week a new search infrastructure was unveiled to enable search for specific code within the millions of individual repositories. Elasticsearch powered the search infrastructure. However, the search infrastructure quickly revealed lots of private date including passwords and private ssh keys.
The WebMonkey article, “Users Scramble as GitHub Search Exposes Passwords, Security Details,” says it this way:
Most of the passwords and other security data exposed were personal — typically private ssh keys to someone’s server or a Gmail password — which is bad enough, but at least one appeared to reveal a password for an account on Chromium.org, the repository that holds the source code for Google’s open-source web browser. Another reportedly exposed an ssh password to a production server of a ‘major, MAJOR website in China.’
Now some of the problem was coder negligence, for sure. Private information was storied within the repositories that should never have been there. Help Net Security’s article, “GitHub’s New Search Reveals Passwords and Private Keys,” highlights this aspect of the problem:
Searching for terms such as ‘BEGIN RSA PRIVATE KEY’ and ‘PASSWORD’ revealed the extent of that carelessness. Luckily, the ElasticSearch cluster powering the search tool initially buckled under the pressure of the multitude of search queries, making the tool unavailable for a while, and then GitHub decided to keeping it offline while they ‘perform some additional maintenance.’
However, it is a bit strange that there would be gratitude for a search system buckling under the pressure. On one hand, the system crash did keep out search queries while the security issue could be repaired, however, do you ever really want your search infrastructure to crash? This is a messy problem with lots of contributing factors and no easy solution. However, at the very least, this should make you wonder about the quality and strength of your search solution and whether or not your enterprise is safe. Check out Lucene/Solr for a trustworthy solution with no such blemishes.
Emily Rae Aldridge, January 29, 2013