Amazon Web Services (AWS) is asking those that write code and use GitHub to go back and check their work to make sure they didn’t forget to remove login credentials. The warning comes as news is circulating about the availability of nearly 10,000 AWS keys in plain sight on GitHub just by running a simple query.
Ty Miller, founder of penetration testing firm Threat Intelligence, said these secret keys can be thought of as a username and password as they provide authentication to AWS services. Anyone with access to the keys has access to the associated account which means they can gain access to any files they want or do whatever they wish with them.
Miller randomly chose credentials he found on GitHub and was able to log into the account, upload and then delete a file. Had he wanted to, he could have done a serious amount of damage – like deleting all of the account’s contents.
Miller said that if these are developers that are creating applications for corporations and the corporation’s AWS keys are leaked, someone could potentially go in and clean them out.
As pointed out by AWS, anyone that has your access key has the same level of access to your AWS resources that you do. The service goes to significant lengths to protect access keys and encourages its users to do the same.
The problem isn't related to GitHub itself so much as it is with careless developers. The nature of the site allows developers to share their code with others for collaborative purposes but they’re obviously forgetting to remove login credentials before uploading.