

GitHub Vulnerability Audit - Requires Approval of SSH Keys - chrisacky

Just received this email:<p>For anyone who missed out on what this vulnerability was, I wrote this blog post in response to it and how GitHub/Rails handled it all: http://chrisacky.posterous.com/github-you-have-let-us-all-down<p>--------------------------------------<p>A security vulnerability was recently discovered that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. This would have provided an attacker with clone/pull access to repositories with read permissions, and clone/pull/push access to repositories with write permissions. As of 5:53 PM UTC on Sunday, March 4th the vulnerability no longer exists.<p>While no known malicious activity has been reported, we are taking additional precautions by forcing an audit of all existing SSH keys.<p># Required Action<p>Since you have one or more SSH keys associated with your GitHub account you must visit https://github.com/settings/ssh/audit to approve each valid SSH key.<p>Until you have approved your SSH keys, you will be unable to clone/pull/push your repositories over SSH.<p># Status<p>We take security seriously and recognize this never should have happened. In addition to a full code audit, we have taken the following measures to enhance the security of your account:<p>- We are forcing an audit of all existing SSH keys
- Adding a new SSH key will now prompt for your password
- We will now email you any time a new SSH key is added to your account
- You now have access to a log of account changes in your Account Settings page
Sincerely, The GitHub Team
======
chrisacky
This makes sense in my opinion.

I think overall GitHub have been handling this pretty well. They made a wishy-
washy PR statement that flamed up in their faces (
[https://github.com/blog/1068-public-key-security-
vulnerabili...](https://github.com/blog/1068-public-key-security-
vulnerability-and-mitigation) ), then retracted most of it in their "Full
Disclosure" post and have handled everything flawlessly since then.

For anyone who missed out on what this vulnerability was, I wrote this blog
post in response to it and how GitHub/Rails handled it all:

[http://chrisacky.posterous.com/github-you-have-let-us-all-
do...](http://chrisacky.posterous.com/github-you-have-let-us-all-down)

------
spicyj
Beat you by about four minutes. ;)

<http://news.ycombinator.com/item?id=3676437>

