Github Users Inadvertently Expose Own SSH Keys After New Search Feature Launch

On Wednesday, GitHub expanded and improved its search feature to make it easier to locate code stashed on the site by live-indexing newly uploaded code. In theory, it sounds like a nice improvement on the site’s ability to deliver results to those looking for certain code or developers, but it appears that the new tool uncovers much more--namely, private SSH keys.

The issue appears to be that some GitHub users have been storing private keys in public directories, and the new search tool is returning them in search results. Obviously, having exposed SSH keys is disastrous, and it allows hackers to silently do all sorts of damage, from sophomoric tampering to serious longitudinal cybercrime.


GitHub hasn’t addressed the issue directly, but status reports indicate that they’re frantically working on the search functionality. Search became unavailable yesterday (yes, passive voice, because it’s not clear if it went down due to a bug or if it was taken down deliberately), and GitHub has been keeping it offline and doing maintenance on it ever since.

GitHub Advanced Search
The culprit, kind of: GitHub's new advanced search

Is it a security breach? No, not technically, because GitHub’s defenses weren’t compromised and the problem stemmed from users putting private files where they shouldn’t have, but GitHub could bear some of the responsibility because a change in the site’s capabilities made previously unsearchable items suddenly searchable.

In any case, there’s a valuable and obvious lesson to be learned here: don’t store private things in public places.

Update, 6:29pm: GitHub's PR folks reached out to us to let us know that the indexing problem is unrelated to the search functionality being down. We've asked for further clarification and will update as we can.
Tags:  security, ssh, Misc, GitHub, code