SSH key vulnerability identified and fixed by Github

Github has just released details of a security flaw that it has discovered and eliminated for users with SSH keys access on for their accounts.A security vulnerability was recently discovered that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. This would have provided an attacker with clone/pull access to repositories with read permissions, and clone/pull/push access to repositories with write permissions. As of 5:53 PM UTC on Sunday, March 4th the vulnerability no longer exists.

While no known malicious activity has been reported, we are taking additional precautions by forcing an audit of all existing SSH keys.

## Required Action

Since you do not have any SSH keys associated with your GitHub account, you were not at risk, and no action is required.

## Status

We take security seriously and recognize this never should have happened. In addition to a full code audit, we have taken the following measures to enhance the security of your account:

* We are forcing an audit of all existing SSH keys
* Adding a new SSH key will now prompt for your password
* We will now email you any time a new SSH key is added to your account
* You now have access to a log of account changes in your Account Settings page

The steps seem sensible to me, and are nice examples of how placing steps into a security affecting process can help to reduce vulnerability in the system and successful surface attach area. Good job, Github.


Leave a Reply

Your email address will not be published. Required fields are marked *