Closed Bug 1621843 Opened 5 years ago Closed 5 years ago

[REDACTED] publicly disclosing without authentication leaks SSH_key

Categories

(Infrastructure & Operations :: Infrastructure: Puppet, defect)

Product:
Infrastructure & Operations
Component:
Infrastructure: Puppet
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: pandeysachinbirendra, Unassigned)

Details

Attachments

(1 file)

20200312_080827.jpg
299.06 KB, image/jpeg
Details
Attached image 20200312_080827.jpg

User Agent: Mozilla/5.0 (Linux; Android 9; SM-M307F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Mobile Safari/537.36

Steps to reproduce:

Hello Security Team,

Description :-

[JULIEN VEHENT] a Software developer from mozilla has left some severe information on github this data is very much important for your organisation.

This bug give attackers to get some critical information which makes the attacker to get entry into your database .

Steps to reproduce:-

You can find the following info in this links

https://github.com/mozilla/opsec-puppet/blob/389a163781e34a4c2b510f278d77508d23091ddb/hieradata/accounts.yaml

Actual results:

GitHub is a truly awesome service but it is unwise to put any sensitive data in code that is hosted on GitHub and similar services as i was able to find github token and api_key release.

How to protect? (Important)

Avoid git add: commands: Using wildcards can easily capture local files not truly intended to be shared, Instead of wildcards, name each file you commit, or use git add -p to review each change you add.

Name sensitive files in .gitignore & .npmignore: git support a local file listing exclusions from packaging and commits, which you can use as a safety measure against the accidental inclusion of sensitive files, and you can use GitHub’s sample .gitignore files for other inspiration.

git-secrets: git hook prevents committing in credentials: a useful tool called git-secrets. The tool hooks onto git commit and breaks the commit if it includes patterns that appear to be credential. This is a good content-focused safety net, complementing the previously suggested filename based protection.

4.Encrypt or use environment vars when publishing from CI.

5.Invalidate leaked credentials.

Expected results:

Impact

I didn't try anything with the token, and dont know what access it has, and i know that in order to login to https://github.sc-corp.net you need to have an email @mozilla but still i though it would be a good idea to share this finding with you in case it can be used in a way that i dont know.

Thanks & Regards,

Sachin Pandey.

Julien, I imagine you did not just leave private keys around in a github repo and these are public keys?

Assignee: nobody → infra
Group: firefox-core-security → core-security
Type: enhancement → defect
Component: Untriaged → Infrastructure: Puppet
Flags: needinfo?(jvehent)
Product: Firefox → Infrastructure & Operations
QA Contact: cshields

Yes, these are public keys...

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(jvehent)
Resolution: --- → INVALID
Group: core-security

Can I know that i am eligible for bug bounty please?

Unfortunately, invalid bugs are not eligible for bounties.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: