10,000 GitHub users inadvertently reveal their AWS secret access keys
GitHub developers who are also Amazon Web Services users are advised to check the code they made public on their project pages and to delete secret access keys for their AWS account they may have posted inadvertently.
“When you access AWS programmatically, you verify your identity and the identity of your applications by using an access key. An access key consists of an access key ID (something like AKIAIOSFODNN7EXAMPLE) and a secret access key (something like wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY),” it’s explained in AWS’ Best Practices for Managing AWS Access Keys document.
“Anyone who has your access key has the same level of access to your AWS resources that you do. Consequently, we go to significant lengths to protect your access keys, and in keeping with our shared-responsibility model, you should as well.”
But some users have been lax when it comes to protecting their keys.
“We’ve seen a couple cases where customers accidentally uploaded their root access keys to public code repositories, so we recommend minimizing your security surface area by deleting (or not creating) root access keys altogether,” they noted in a recent blog post.
The keys are easily discoverable via a simple GitHub search and, according to Ty Miller, founder of penetration testing firm Threat Intelligence, almost 10,000 of them can currently be found on the popular hosting service for software projects.
As he explained to IT News Australia, he did the search and tested one of the unearthed keys in order to see whether he can access the AWS account and mess with it.
And he did – he uploaded and then deleted a file from the account. He says he could have done much worse. “If these are developers who are creating applications for corporations and the corporations AWS keys are leaked – you could potentially go in and delete their entire environment,” he pointed out.
Securosis CEO Rich Mogull was one of the people who, through sheer absent-mindedness, forgot to delete his AWS secret key from the code he posted on GitHub. And attacker discovered it and used it to run up $500 in charges.
A similar problem has been flagged earlier this year, when GitHub’s new search revealed passwords and private encryption keys that careless developers forgot to remove from their code.
To mitigate mistakes like these, GitHub has created and regularly updates a user guide for thoroughly removing sensitive data from their git repository.
In the meantime, AWS has been recommending that users create an AWS Identity and Access Management (IAM) user with access keys instead of creating access keys for their root account.