GitHub Does Not Protect Secure Information Placed In Its Repository [Updated]

GitHub was created to share source code for users within its repository. GitHub has now become another potential security leak.

ITWorld is reporting that GitHub, the 7-year-old web-based repository for Git (a free, open-source distributed control system allowing for sharing of source code projects of many different sizes) has been found to have a leak problem — not by GitHub, but rather by people posting to GitHub.

It has been discovered that GitHub’s source code repository has a large amount of quick fixes, or “ugly hacks,” in C, making the repository a place to acquire fixes that may potentially have major vulnerabilities. The other issue is the size of GitHub’s repository, which in the last seven years has grown to over 9.4 million people with access to over 22.5 million repositories today.

What has been discovered is that GitHub added a unique search feature in 2013, which searches both public and private repositories the GitHub user has access to. If you know what you’re looking for, you can search both GitHub’s public and private repositories and find private encryption keys and login information under tons of source code saved in those GitHub repositories.

GitHub has asked that the practice discontinue, but there is evidence that it has continued unabated. The main issue is the ease with which users can gain access to various companies’ private information, should they have posted it there.

According to Ars Technica, Uber, a ride-sharing transportation company that allows customers to sign up and have someone in a personal vehicle take you to a destination, like a taxi, is asking GitHub for the IP addresses of thousands of GitHub users who acquired private information due to the aforementioned problem. According to Uber, the GitHub leak has left almost 50,000 Uber users’ information, including names and drivers’ license numbers, unprotected. The GitHub leak, announced on Friday, was found more than two months ago.

“The contents of these internal database files are closely guarded by Uber,” the complaint stated. “Accessing them from Uber’s protected computers requires a unique security key that is not intended to be available to anyone other than certain Uber employees, and no one outside of Uber is authorized to access the files. On or around May 12, 2014, from an IP address not associated with an Uber employee and otherwise unknown to Uber, John Doe I used the unique security key to download Uber database files containing confidential and proprietary information from Uber’s protected computers.”

This has led to Uber filing a lawsuit against two unidentified men, John Doe 1 and John Doe 2, who got access to the information. GitHub is trying to comply with Uber’s request, but Uber is being told what every computer, internet, and especially GitHub user is being told now: never store personal information anywhere near a public computer program like GitHub.

[Image courtesy of Molecular Ecologist]