Note : the purpose of writing this post is to serve as a reminder to gitignore sensitive data in the repository, not teaching you how to exploit Github search and getting others credentials.
We all know that Git is awesome for version control and tracking of code, and GitHub is the usual go-to place for git repository hosting as it is free for public / open source repository. Since any file can be pushed to Github, if you are not careful with gitignore, the pushed files may include your private key information, database connection credential and even worse your Amazon S3 keys.
By default, SSH searches for id_rsa and id_dsa files when an user attempt to connect via using key, hence there is a large possibility that some people may have pushed their own private key to Github… Lets search “filename: id_rsa” for example :
That’s lots of key here, by having their private key means you can impersonate as them and if you have access to their server which happened to use SSH key authentication….bingo! Now imagine someone has your private key and your server uses SSH key authentication, woah scary isn’t it?
I followed RailsApps guide on how to set environment variable, one of the way mentioned in the guide is to create a local_env.yml file to store environmental variables. The RailsApps website is kinda popular so I figured maybe there will be people who follow the guide and forgot to gitignore the local_env.yml file, let’s try “filename: local_env.yml” this time:
Managed to find a few of Facebook App ID /Secret and Google API Secret from some results shown above. Hmm, lets try something more scary, “filename: local_env.yml amazon”
And you wonder why there’s a spike in your Amazon bills recently. Well the good news is that Amazon frequently scans public repository on Github and they will notify the owner to remove the file from Github if found.
Be extra careful when your code involves keys and secret, it can cost you thousands or even your integrity at worst. Github has written an instruction on how to remove sensitive data if you have accidentally pushed it to remote. Please remember to immediately revoke access to all the previous keys and generate new keys once you found that the keys have been pushed to remote for safety measure, some bots may have recorded it down.
TL;DR : Gitignore is serious business, remember to ignore all your keys and secrets before commiting.