Microsoft, GitHub, GitLab and BitBucket – four of the largest code hosting companies – began mass SSH key recalls on Monday after discovery of a vulnerability in a popular Git client called GitKraken.
The mass recalls were made at her request companyArizona-based Axosoft, which developed GitKraken and is the inventor of security gap in its software.
In a post at her blog On Monday, Axosoft reported that versions 7.6.x, 7.7.x, and 8.0.0 of the GitKraken app used a library called "keypair" to create SSH keys that allow developers to link the GitKraken app to accounts on Azure DevOps, GitHub, GitLab, BitBucket services or any other Git source code hosting servers.
Axosoft reported that earlier versions of this library produced low-entropy RSA keys, meaning that attackers could use the library, under certain circumstances, to creation of SSH duplicate keys.
An attacker could then use these keys to access a user's account to steal proprietary source code.
Axosoft reported that as soon as it identified the problem, it replaced the keypair library in the GitKraken application, released version 8.0.1, and notified the four major companies.
Shortly after Axosoft was released, security teams at Azure, GitHub, GitLab, and BitBucket began recalling all SSH keys to accounts that used the GitKraken application to source code.
The four companies are now asking their users to create new SSH keys using a different Git client or using the updated GitKraken application.
Both Axosoft and the four companies said they had not found any evidence that there were attackers who used this security loophole. So far.