GitHub Swiftly Replaces Exposed RSA SSH Key to Protect Git Operations


Mar 24, 2023Ravie LakshmananCloud Security / Programming

Cloud-based repository hosting service GitHub said it took the step of replacing its RSA SSH host key used to secure Git operations “out of an abundance of caution” after it was briefly exposed in a public repository.

The activity, which was carried out at 05:00 UTC on March 24, 2023, is said to have been undertaken as a measure to prevent any bad actor from impersonating the service or eavesdropping on users’ operations over SSH.

“This key does not grant access to GitHub’s infrastructure or customer data,” Mike Hanley, chief security officer and SVP of engineering at GitHub, said in a post. “This change only impacts Git operations over SSH using RSA.”

The move does not impact Web traffic to and Git operations performed via HTTPS. No change is required for ECDSA or Ed25519 users.

The Microsoft-owned company said there is no evidence that the exposed SSH private key was exploited by adversaries.

It further emphasized that the “issue was not the result of a compromise of any GitHub systems or customer information.” It blamed it on an “inadvertent publishing of private information.”

It also noted GitHub Actions users may see failed workflow runs if they are using actions/checkout with the ssh-key option, adding it’s in the process of updating the action across all tags.


Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.


The disclosure comes nearly two months after GitHub revealed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Trump Demands Case Be Dismissed As He Whines About Being Cold
Trump campaign lawyer John Eastman pleads not guilty in Arizona case
6 Best Swim Shirts for Big Guys to Exude Style in 2024
Companies lean on sports after Hollywood strikes
Glen Powell Attached to New ‘Heaven Can Wait’