Re: Bug Report ( sensitive information on Github )

[kunal mhaske]

Any update on this?

On Sun 1 Dec, 2019, 10:15 PM kunal mhaske, <address@hidden> wrote:

Any update on this?

On Sun 17 Nov, 2019, 5:49 PM kunal mhaske, <address@hidden> wrote:

Title: Leaking sensitive information on Github  (Database connection
And username, password)

Vulnerability Name: Information Leak - Github

Target: https://www.redhat.com/

Summary:
Accidental leakage of secret keys in such code repositories is a real
problem, I decided to dig deeper than the previous report and looking
to some random profiles in Github, and doing some dirty work I was
able to access to the developer’s company’s internal chats and files
on Slack. And not only that, there’s no easy way to see if someone is
eavesdropping on the communication. In the worst case scenario, these
chats can leak production database credentials, source code, files
with passwords and highly sensitive information.

Description:
After some research, I found a leak on GitHub that might lead to
accessing sensitive data of employees or clients (not sure based on
the code).  I have not confirmed what kind of data is in there to
avoid potential legal issues. I will let you guys figure that out

I am not sure who is the owner of the repository, but I can tell you
that the SAP credentials are for someone at apple.

1.On The following link You can see the users information  link ( see
screenshot 1&2) :
https://github.com/search?p=3&q=%22leaseweb%22language%3Abash+password&type=Code

2. I have check the user profile on LinedIn( For Proof See the "Proof"
Image ) : https://de.linkedin.com/in/sebastian-hetze-3609b228

3. Sebastian Hetze is Senior Solution Architect at Red Hat


Step:

1.search the "Red Hat" password in the github.

2.Select sort: recent indexed

3.then click on the code and see the Database connection.

4.then you can see their is many users.

5.then you see their is someone users secret is display.

Impact
High potential of an unauthorized access to PII data.