GitHub Rotates Publicly Exposed RSA SSH Private Key
Microsoft-owned code hosting platform GitHub said that it has replaced the RSA SSH private key used to secure Git operations for GitHub.com.
The key, the platform said, was briefly exposed in a public GitHub repository and was not leaked following a GitHub compromise. No customer information was impacted, the company says.
According to the software collaboration platform, the key could have been used to impersonate GitHub or eavesdrop on customers’ Git operations over SSH.
“This key does not grant access to GitHub’s infrastructure or customer data,” GitHub said in a Friday announcement.
GitHub also noted that the key was exposed as result of “an inadvertent publishing of private information”.
“We have no reason to believe that the exposed key was abused and took this action out of an abundance of caution,” GitHub said.
With only GitHub.com’s RSA SSH key replaced, no action is required from ECDSA and Ed25519 users. The leak did not impact web traffic to GitHub.com or HTTPS Git operations either.
“We have now completed the key replacement, and users will see the change propagate over the next thirty minutes. Some users may have noticed that the new key was briefly present beginning around 02:30 UTC during preparations for this change,” GitHub said on Friday
The platform also provided instructions on how customers can manually remove the old key and add the new RSA SSH public key. GitHub Actions users may also need to take action.
According to code security platform GitGuardian, the accidental exposure of secrets in public repositories is not surprising. In 2022, the firm found over 10 million new secrets exposed and says that one out of ten committers exposed a secret last year.
“If you have exposed a secret publicly, you are certainly not alone. GitHub serves as a good reminder we must stay vigilant in our security practices, no matter how large our team,” GitGuardian notes.
Related: GitHub Revokes Code Signing Certificates Following Cyberattack
Related: Attackers Can Abuse GitHub Codespaces for Malware Delivery
Related: GitHub Secret Scanning Now Generally Available