Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

GitHub Rotates Publicly Exposed RSA SSH Private Key

GitHub replaced the RSA SSH private key used to secure Git operations for GitHub.com after it was exposed in a public GitHub repository.

Microsoft-owned code hosting platform GitHub said that it has replaced the RSA SSH private key used to secure Git operations for GitHub.com.

The key, the platform said, was briefly exposed in a public GitHub repository and was not leaked following a GitHub compromise. No customer information was impacted, the company says.

According to the software collaboration platform, the key could have been used to impersonate GitHub or eavesdrop on customers’ Git operations over SSH.

“This key does not grant access to GitHub’s infrastructure or customer data,” GitHub said in a Friday announcement.

GitHub also noted that the key was exposed as result of “an inadvertent publishing of private information”.

“We have no reason to believe that the exposed key was abused and took this action out of an abundance of caution,” GitHub said.

With only GitHub.com’s RSA SSH key replaced, no action is required from ECDSA and Ed25519 users. The leak did not impact web traffic to GitHub.com or HTTPS Git operations either.

“We have now completed the key replacement, and users will see the change propagate over the next thirty minutes. Some users may have noticed that the new key was briefly present beginning around 02:30 UTC during preparations for this change,” GitHub said on Friday

Advertisement. Scroll to continue reading.

The platform also provided instructions on how customers can manually remove the old key and add the new RSA SSH public key. GitHub Actions users may also need to take action.

According to code security platform GitGuardian, the accidental exposure of secrets in public repositories is not surprising. In 2022, the firm found over 10 million new secrets exposed and says that one out of ten committers exposed a secret last year.

“If you have exposed a secret publicly, you are certainly not alone. GitHub serves as a good reminder we must stay vigilant in our security practices, no matter how large our team,” GitGuardian notes.

Related: GitHub Revokes Code Signing Certificates Following Cyberattack

Related: Attackers Can Abuse GitHub Codespaces for Malware Delivery

Related: GitHub Secret Scanning Now Generally Available

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Raffi Joukhadarian has been named Managing Director and Chief Financial Officer at MorganFranklin Cyber.

Data security firm Rubrik has appointed Kavitha Mariappan as its Chief Transformation Officer.

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.