Massive GitHub and DockerHub Private Key Leaks Expose Corporate and Government Data
Exposure of Private Keys Puts Organizations at Risk
A recent study has uncovered a significant security risk affecting numerous corporations and government agencies, after the inadvertent exposure of private keys associated with over 900 active and valid TLS certificates on GitHub and DockerHub.
Affected Organizations and Certificates
The affected certificates are used by more than 600 organizations, including Fortune 500 firms, government agencies, and healthcare providers.
Study Findings
The joint study, conducted by Google and GitGuardian, found that only 16% of the exposed TLS certificates contained information about the organizations that owned them. Despite additional research efforts, including website record scraping, domain ownership verification, and AI-assisted web crawling, nearly 1,300 certificates remained anonymous.
The researchers notified over 600 organizations about the exposure of their TLS certificates, but only 9% responded. Some bug bounty programs even offered rewards to researchers who could provide proof of the threats posed by exposed website private keys.
Recommendations for Organizations
The study highlights the need for better coordination between organizations and certificate-issuing authorities to mitigate the risks associated with exposed private keys. The researchers emphasized that the exposure of private keys can have serious consequences, including the compromise of website security and the potential for malicious activities.
In light of the findings, organizations are advised to take immediate action to review their TLS certificates and ensure that their private keys are secure. This includes verifying the ownership of certificates, updating certificates that are approaching expiration, and implementing robust key management practices to prevent similar incidents in the future.
About Author
English