← Back to context

Comment by jonahx

2 years ago

Not defending GH here (their position is indefensible imo) but, as the article notes, they document these behaviors clearly and publicly:

https://docs.github.com/en/pull-requests/collaborating-with-...

I don't think they're being underhanded exactly... they're just making a terrible decision. Quoting from the article:

> The average user views the separation of private and public repositories as a security boundary, and understandably believes that any data located in a private repository cannot be accessed by public users. Unfortunately, as we documented above, that is not always true. Whatsmore, the act of deletion implies the destruction of data. As we saw above, deleting a repository or fork does not mean your commit data is actually deleted.

38 comments

jonahx

Reply
jiggawatts  2 years ago

From the article:

"We surveyed a few (literally 3) commonly-forked public repositories from a large AI company and easily found 40 valid API keys from deleted forks."

This is how your customers get their entire cloud taken over, because you made a stupid, stupid decision and instead of fixing it when warned (repeatedly!) you instead decide to just blame the customer for not reading page 537 paragraph 3 subsection B about the counter-intuitive security footgun you've left in your product.

This is negligence, pure and simple.

  • ndriscoll  2 years ago

    If you published a key, you must assume someone copied it and that deleting references to it is not sufficient. You must rotate that key now, and should check whether it was used improperly. This is pretty basic incident response.

    The thing about exposing commits that were only ever in a private repo is pretty indefensible, but not garbage collecting public commits on delete shouldn't matter.

    • jiggawatts  2 years ago

      > If you published a key

      Why would anyone think that a private fork is "published"!?

      This is the footgun here: The UI is telling you that nobody can see the secrets you committed to your private copy, but actually it is widely accessible.

      A similar example of UI-vs-reality mismatch that I've noticed recently is the Azure Store Account "public" visibility. By default, it uses your authenticated account for RBAC access checks, so if you click around it'll say something like "you don't have browse access". This looks secure, but attempting access anonymously would have succeeded!

      I had a customer recently where this happened -- they clicked through every Storage Account to "check" them, convinced themselves they were secure, meanwhile they had database backups with PII accessible to world+dog!

      7 replies →

andersa  2 years ago

Based on some (admittedly not very thorough) search, this documentation was posted in 2021, three years after my report.

  • YetAnotherNick  2 years ago

    But that would still means they didn't intend to fix it, hence not giving bounty is fair.

    • malfist  2 years ago

      It's a bug bounty, not a "only if we have time to fix it" bounty.

      He found a security problem, they decided not to act on it, but it was still an acknowledged security problem

      24 replies →

jowea  2 years ago

Shouldn't that be on the config page for the repo below the "private" button with a note saying private is not actually private if it's a fork? And ditto for delete?