Spotify's Github accessed via compromised SSH keys

CloudFlare engineer Ben Cartwright-Cox says the official Github repositories of the UK Government, Spotify, and Python were accessed using likely compromised SSH keys.

“If you have just/as of late gotten an email about your keys being revoked, this is because of me, and if you have, you should really go through and make sure that no one has done anything terrible to you, since you have opened yourself to people doing very mean things to you for what is most likely a very long time,” he says in a blog post.

He said that the revoked keys were subject to a compromised Debian OpenSSL random number generator seed.

“I used g0tmi1k’s set of keys to compare against what I had in my database, and found a very large amount of users who are still using vulnerable keys, and even worse, have commit access to some really large and wide projects.”

Those projects include:

  • Spotify’s public repos (and any private repos those employees had access to)
  • Yandex’s public repos (and any private repos the person had access to)
  • Crypto libraries to Python
  • Django
  • Python’s core
  • gov.uk public repos (and any private repos the person had access to)
  • Couchbase (and any private repos the person had access to)
  • A ruby gem that is used on a large amount of CI systems (compromise of that, means compromise of your build server, and possibly your internal network)

“The most scary part of this is that anyone could have just looped through all of these keys just trying to SSH into GitHub to see the banner it gives you,” he added.

“It would be safe to assume that due to the low barrier of entry for this, that the users that have bad keys in their accounts should be assumed to be compromised and anything that allowed that key entry may have been hit by an attacker.”

What this basically means is that a hacker could crack the keys and insert malware into popular projects. He says about two thirds of Github accounts utilise SSH keys.