Bank leaves sensitive data exposed on GitHub repositories
By Arie Fred, VP of Product, SecBI
A North American bank stored highly sensitive digital property in a series of publicly open and accessible GitHub repositories.
The repositories contained hundreds of files, some of which contained code that appeared to be intended for mobile banking apps, access keys for a SQL Server database of foreign exchange rates, and log-in credentials for services and database instances.
This is not the first security incident in which GitHuB was involved. Its open nature makes it both a target for hackers and a place where employee negligence can go undetected for years.
What are the (in)security impacts of GitHub on organizations?
Account takeover and ransom
The most direct cybersecurity threat is account takeover or abuse. For instance, the GitHub account of Canonical Ltd., the company behind the Ubuntu Linux distribution, was hacked on Saturday, July 6th , 2019. Other GitHub accounts were hacked and held for ransom. To improve its resilience against such attacks, the GitHub Platform now supports two-factor authentication with security keys using the WebAuthn API.
Used as a “dump” for stolen information
Much like the hacktivists’ practice of posting stolen data “dumps” on Pastebin, some hackers have used GitHub to post sensitive information stolen from organizations. Recently, GitHub was sued for aiding hacking in Capital One breach, since the hacker posted details about the hack on the code-sharing site.
The lawsuit claims that “decisions by GitHub’s management […] allowed the hacked data to be posted, displayed, used, and/or otherwise available.” According to the lawsuit, details about the Capital One hack were available from April 21, 2019 to mid-July before they were taken down. “GitHub knew or should have known that obviously hacked data had been posted to GitHub.com,” the lawsuit claims.
Beyond raising some interesting ethical, legal and regulatory questions, it certainly shows this platform’s popularity and exposure.
Used to store private (sensitive information)
While GitHub warns users not to expose sensitive data, the platform’s ease-of-use facilitates lazy programming and DevOps behaviors that ultimately expose organizations to serious risks. ASUS engineers exposed company passwords for months on GitHub, and CircleCI informed their clients that their GitHub login information was exposed in a data breach.
Researchers at North Carolina State University (NCSU) scanned almost 13% of GitHub’s public repositories over nearly six months, and found more than 100,00 repositories containing secret access keys, such as SSH keys and API keys for Google, Twitter, Amazon Web Services, Facebook, MailChimp, Twilio, and credit card processing companies Stripe, Square, and Braintree.
As a C2 Channel
Some sophisticated malware types used GitHub as a repository and communication channel to control the installed malware and store stolen information. Since the GitHub requests are not seen as an abnormal activity by security mechanisms, this activity could have persisted for a very long time.
It’s not all gloom and doom
It’s important to note that GitHub is making substantial effort to improve security of its platform. In addition to introducing 2FA, the organization has announced the acquisition of Semmle, a code analysis firm that is supposed to help GitHub users identify and fix vulnerabilities in the code for upload to the platform. In addition, GitHub’s new CVE authority will allow it to quickly issue security advisories on GitHub projects, identifying severity and quickly issuing fixes to a broader base of users.
But all these security measures will not suffice if GitHub users will continue to perceive it as an ultra-secured dump for all their data and code. Needless to say, a AI-driven threat detection & response solution for fast, accurate and simple remediation is a necessity given the vulnerability of using GitHub.