Uber Hack Shows Vulnerability of Software Code-Sharing ServicesBy
Security experts, hackers often find passwords left on Github
Value of code-sharing may outweigh risks, experts say
The data breach at Uber Technologies Inc. holds a lesson for software developers who use third-party services to store and share code: be careful what you share.
Services like San Francisco-based Github Inc., GitLab and SourceForge are used by developers to collaborate on projects, track bugs in code and distribute early versions of applications. They’re also a target for cyberthieves.
Uber lost records on 57 million customers and drivers after hackers gained access to a password-protected area of Github, one of the most popular code storehouses in the world. It’s happen before, too.
"Code depositories can be very problematic," Chris Boyd, an analyst at cybersecurity company Malwarebytes Inc., said. Many companies are slow to remove login details for these storage services when developers leave.
Earlier this month, a security researcher found that software developers for Chinese drone manufacturer SZ DJI Technology Co. had left the private keys for their Amazon Web Services cloud account and all the company’s websites in code they posted publicly on Github.
In 2014, hackers found a login key left in code that Uber’s developers publicly posted on Github, resulting in the theft of data on 50,000 Uber drivers. The ride-hailing company sued Github in 2015 to force it to hand over information about users who might have accessed the website that the code originated on.
Edwin Foudil, a security researcher who goes by the alias EdOverflow, said many companies mistakenly include passwords and private keys in the code they post on storage services.
"It is incredibly prevalent," Foudil said, adding that some developers assume their code is safe when it’s in a password-protected area. "They are relying on the repository being private, but it’s bad practice."
Hackers hunting for vulnerabilities routinely scan code posted publicly to Github for passwords and private encryption keys that developers have left visible, he explained.
Github declined to comment on individual accounts when asked about the latest Uber breach. It said it advises users to "never store access tokens, passwords, or other authentication or encryption keys in the code." If developers must include such items, they should use extra security procedures "to prevent unauthorized access or misuse."
18F, a group of programmers who help build software for the U.S. government, uses Github to share code, but mandates its developers run a piece of software that scans code for passwords and keys before allowing it to be posted.
However, these tools often generate "false positives" -- mistaking bits of innocent code for passwords or keys, Foudil said. The security researcher added that he has found code that 18F uploaded that still contained information that should have been deleted. There’s no substitute for human code review before uploading it to a service like Github, he said.
The Uber hack is unlikely to stop the use of code-sharing services. Many companies turn to these repositories to store and share code among programming teams that are often spread out across the globe. The sites help companies control which versions of the software their programmers are working on.
Sjoerd Langkemper, a Netherlands-based security expert who does penetration testing for web applications, said there were still good reasons to use such sites.
"Storing your code in a private GitHub repository is like storing documents in Google Drive: it is a little bit more insecure than storing them on your hard drive, but for many the benefits outweigh the additional risk," he said.