Microsoft, GitHub, GitLab & BitBucket reset to SSH keys

Microsoft, , GitLab and BitBucket – four of the largest code hosting companies – began mass SSH key recalls on Monday after μιας ευπάθειας σε ένα δημοφιλές Git called GitKraken.

The mass recalls followed a request from Arizona-based Axosoft, which developed GitKraken and discovered the security flaw in its software.
Keys

In a post at her blog on Monday, Axosoft reported that versions 7.6.x, 7.7.x and 8.0.0 of its s GitKraken used a library named “keypair” to generate SSH keys that allow developers to connect their GitKraken application to accounts on Azure DevOps, GitHub, GitLab, BitBucket, or any other Git source code hosting servers.

Axosoft reported that earlier versions of this library produced low-entropy RSA keys, which means that attackers could use the library, under certain conditions, to create duplicate SSH keys.

An attacker could then use these keys to access a user's account to steal proprietary source code.

Axosoft reported that as soon as it identified the problem, it replaced the keypair library in the GitKraken application, released version 8.0.1, and notified the four major companies.

Shortly after Axosoft's publication, the teams Azure, GitHub, GitLab, and BitBucket began revoking all SSH keys on accounts that used the GitKraken app to sync source code.

The four companies are now asking their users to create new SSH keys using a different Git client or using the updated GitKraken application.

Both Axosoft and the four companies said they had not found any evidence that there were attackers who used this security loophole. So far.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.087 registrants.
SSH keys, SSH, iguru

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).