Any update on this? On Sun 1 Dec, 2019, 10:15 PM kunal mhaske, <kunalmhaske...@gmail.com> wrote:
> Any update on this? > > On Sun 17 Nov, 2019, 5:49 PM kunal mhaske, <kunalmhaske...@gmail.com> > wrote: > >> Title: Leaking sensitive information on Github (Database connection >> And username, password) >> >> Vulnerability Name: Information Leak - Github >> >> Target: https://www.redhat.com/ >> >> Summary: >> Accidental leakage of secret keys in such code repositories is a real >> problem, I decided to dig deeper than the previous report and looking >> to some random profiles in Github, and doing some dirty work I was >> able to access to the developer’s company’s internal chats and files >> on Slack. And not only that, there’s no easy way to see if someone is >> eavesdropping on the communication. In the worst case scenario, these >> chats can leak production database credentials, source code, files >> with passwords and highly sensitive information. >> >> Description: >> After some research, I found a leak on GitHub that might lead to >> accessing sensitive data of employees or clients (not sure based on >> the code). I have not confirmed what kind of data is in there to >> avoid potential legal issues. I will let you guys figure that out >> >> I am not sure who is the owner of the repository, but I can tell you >> that the SAP credentials are for someone at apple. >> >> 1.On The following link You can see the users information link ( see >> screenshot 1&2) : >> >> https://github.com/search?p=3&q=%22leaseweb%22language%3Abash+password&type=Code >> >> 2. I have check the user profile on LinedIn( For Proof See the "Proof" >> Image ) : https://de.linkedin.com/in/sebastian-hetze-3609b228 >> >> 3. Sebastian Hetze is Senior Solution Architect at Red Hat >> >> >> Step: >> >> 1.search the "Red Hat" password in the github. >> >> 2.Select sort: recent indexed >> >> 3.then click on the code and see the Database connection. >> >> 4.then you can see their is many users. >> >> 5.then you see their is someone users secret is display. >> >> Impact >> High potential of an unauthorized access to PII data. >> >
