Security News > 2024 > January > GitHub rotates keys to mitigate impact of credential-exposing flaw
GitHub rotated keys potentially exposed by a vulnerability patched in December that could let attackers access credentials within production containers via environment variables.
"On December 26, 2023, GitHub received a report through our Bug Bounty Program demonstrating a vulnerability which, if exploited, allowed access to credentials within a production container. We fixed this vulnerability on GitHub.com the same day and began rotating all potentially exposed credential," said Github VP and Deputy Chief Security Officer Jacob DePriest.
While the organization owner role requirement is a significant mitigating factor and the vulnerability's impact is limited to the researcher who found and reported the issue through GitHub's Bug Bounty Program, DePriest says the credentials were still rotated according to security procedures and "Out of an abundance of caution."
Although most of the keys rotated by GitHub in December require no customer action, those using GitHub's commit signing key and GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys will have to import the new public keys.
"We strongly recommend regularly pulling the public keys from the API to ensure you're using the most current data from GitHub. This will also allow for seamless adoption of new keys in the future," DePriest said.
Months earlier, GitHub also had to revoke code-signing certificates for its Desktop and Atom applications after unknown attackers stole them after breaching the company's development and release planning repositories in December 2022.