joachimmetz
commented
2 years ago @aravindb26 based on the source this looks like a mock/test key
Closed aravindb26 closed 2 years ago
joachimmetz
commented
2 years ago @aravindb26 based on the source this looks like a mock/test key
aravindb26
commented
2 years ago @joachimmetz Hi thank you for the reply sir.
Nowadays test accounts have a high Impact because developers do a test with the actual data that exists internally, like many developers test their code in Pastebin or anywhere but forget to remove the sensitive data sometimes
Example: An attacker got admin access on an internal login page with credentials "demo/demo" but inside it has critical data.
I hope you got the Impact, sir :)
Thank You :)
joachimmetz
commented
2 years ago I hope you got the Impact, sir :)
I fully understand the impact, I don't think you do. This a test key as in data generated specific and ONLY for testing purposes
If you have evidence of the key being used for other purposes please present that.
aravindb26
commented
2 years ago Again thank you for the reply sir, I understood it but sir I want to explain that if it has any sensitive data if an attacker does access it.
RSA private key is used to generate digital signatures, and the RSA public key is used to verify digital signatures. The RSA public key is also used for key encryption of DES or AES DATA keys and the RSA private key for key recovery.
joachimmetz
commented
2 years ago Again thank you for the reply sir, I understood it but sir I want to explain that if it has any sensitive data if an attacker does access it.
this highly depends on the "attacker"
RSA private key is used to generate digital signatures, and the RSA public key is used to verify digital signatures.
You are OVER generalizing, the fact that an "RSA private key CAN be used to generate digital signatures" does not mean this one is. I repeat: If you have evidence of the key being used for other purposes please present that.
aravindb26
commented
2 years ago Yeah, that is what I mean sir, we can't say how can these PRIVATE keys might be useful. But it's better to remove it from the repo know? You might save at any time. As we can't say how the attack may happen.
aravindb26
commented
2 years ago As these keys are related to Google repo;
Google says these sir
joachimmetz
commented
2 years ago Yeah, that is what I mean sir, we can't say how can these PRIVATE keys might be useful. But it's better to remove it from the repo know? You might save at any time. As we can't say how the attack may happen.
what kind of useless security advisory is this? How can you give security advise if you don't understand the context in which the key is used?
As these keys are related to Google repo;
where do you base that on?
https://en.wikipedia.org/wiki/Mock_object
In [object-oriented programming](https://en.wikipedia.org/wiki/Object-oriented_programming), mock objects are simulated objects that mimic the behavior of real objects in controlled ways, most often as part of a [software testing](https://en.wikipedia.org/wiki/Software_testing) initiative. A programmer typically creates a mock object to test the behavior of some other object, in much the same way that a car designer uses a [crash test dummy](https://en.wikipedia.org/wiki/Crash_test_dummy) to [simulate](https://en.wikipedia.org/wiki/Simulation) the dynamic behavior of a human in vehicle impacts.@joachimmetz Okay, sir fine.
joachimmetz
commented
2 years ago @aravindb26 fine as in, "you have more evidence to present" or fine as in, "yes this a weak report of a scanner tool finding a PRIVATE KEY in a source file"?
aravindb26
commented
2 years ago @joachimmetz I'm not saying it's a weak report sir, I left it to you if you want to fix the bug or not. You might know that yesterday Uber got hacked with a simple social engineering attack which is very low... low... and out-of-scope bugs many people see that bug as not countable but Impact was like total uber got hacked. Uber kept this bug under the out-of-scope category.
This is my main intention sir. We shouldn't say it's a weak bug because we don't know like the attacker might be more clever than you or anyone sir. What do we do after the whole get company gets hacked? So, my intention is even if it's the test data, it might be useful somewhere.
Always my intention is to secure the data and want to report it even if it's a small bug. We shouldn't underestimate a small bug, sir.
ThankYou :)
joachimmetz
commented
2 years ago @joachimmetz I'm not saying it's a weak report sir, I left it to you if you want to fix the bug or not.
why is this a bug? this key is used for testing API interaction, this is WAI. Provide some facts to back up your claims.
It's a weak report because so far you've not been able to back up any of your claims.
How is social engineering related to a key is used for testing API interaction? This is likely saying get rid of all your kitchen spoons because people CAN get killed by knifes.
aravindb26
commented
2 years ago @joachimmetz I'm not saying it's a weak report sir, I left it to you if you want to fix the bug or not.
why is this a bug? this key is used for testing API interaction, this is WAI. Provide some facts to back up your claims.
It's a weak report because so far you've not been able to back up any of your claims.
How is social engineering related to a key is used for testing API interaction? This is likely saying get rid of all your kitchen spoons because people CAN get killed by knifes.
Ok sir
joachimmetz
commented
2 years ago Ok, as in? that you are going to back up your facts? or that you keep speculating without any real evidence?
jaegeral
commented
2 years ago Closing as not an issue
Describe the bug Hi team, Hope all going well :). Sensitive Data Exposure occurs when an organization unknowingly exposes sensitive data or when a security incident leads to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to sensitive data
To Reproduce Steps to reproduce the behavior:
Go to
https://github.com/google/timesketch/blob/c9b514c5cb593f65567beeb349ea72efc03e4eb6/timesketch/lib/google_jwt_test.pySearch for PRIVATE KEY
Scroll down to BEGIN RSA PRIVATE KEY
You will see the following PRIVATE SENSITIVE KEY EXPOSED PUBLICLY
-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAjVUkmrTXhFmaahZExVcdJqb3BqZp2A6Kk+IFkmeLimK2DJg3 OpUSxEJ5mlaymu7XQJUlG2qKI7zhL7WV+S9CNYdLCVWMhg/XQ9dKB9VoYf92eAuf kGrl2GbGd0y6KdMrTuxGfESC+l+exTcQAPvn1Md95difnruob6K1KXQTqEqQEFhK LiciFtssyiC90r8ia7+082MSJUXpXNhHyyuehuV5Xs5GCVqZfP65MMiDiKidUxq4 0UNTodqJCzhum7iSK42SF9la7ao0FTizF1uFl7oU7fIbN2qzNBgn5U3CTfaZaII5 4Xn6pzoIwinYXCZzeTy7x+8ZIN41VDNGulTK/wIDAQABAoIBAA5ST2hB5QjrT4Nq iEN7BWAyURviZx1Ws+IyaCAiz/gQ8qOqFQahroomtk3WdTjP9Q39TwpNLHxcmnEM NItQp6Pm9sqWWawIFOcx/LV4gaBUk7usadnniyz3lSrnooG0fVH9DVNwWdlnMR6I 6t0+qYpdQLu2zM339CSD11nBAnDuHizgKj7qWLMCjvHm0/rJfsE/wLSqggsQFim2 0qZIB1yzQe5OQPke5voYiCua0kFqKibvuUkTmMwggAwosER+bV22li1rxRbYhea5 fFZxx0QDxUhBtIiHuvipbDhXTwNqnYl4CfkG9/b8TmeYPKpQkU1O3rIbzCrOXbcg bUk6OHkCgYEA4xl4WfVqFEfrvmD+KSU3KTZxRSCof8AFOfmrmJPYqocxDw9JaFPH 7fxFEP/8BnxDBcnW+ikGB8VfWNrm40LAme7TD1Ogva9ddWlE/nnOacPWX4ep00e9 ErwIYLlvOjreH5J3PBGqNDVjavO+kREKKUqXDXY7m55OY5dEPckMLhsCgYEAn1GH CoIwXfms7+CHPDld0bS6VecJGy6MJ3kvrVyc3Toopygnafj12epKKiusExu5EOH4 JIxfm/m6XMOLixIXAa0ZWBfVrek9Bt0CWf2l3jJeyD+oRk7h9Mw8dc4FpP8acZVg AyD/MKW2zIfjp7hi4v4vagz9JUm4i3vbyIqcFO0CgYEA1BWxQ7Hhg1c3XfAO7DYJ Mb/aQIijU8rsFpyIGFHagkcHFd1c3MWBbUuu5JVrtFLP9NPupGkzbIZy6PRls89f N2LGUQX0k7D2QvQwrsbqcfOmfEih3OKePKTF3i7PJT5cund6SurkXSWO1w8S5T9Y kf9K2hOUz1wkMPXPkTP04AkCgYAnPGDRibZ3rmGUwesMPeSJHMU3Gqr3csM5hXLk cwZ+xS/12sG6K4IApN6W/CJook81hTEjbx6svxfSeKYJHe9kjkjLlTMenW5WHl/R 4dHTovwMvQCoMA0dyJ6rNI3XUKwmhO8cVigCxwz52g2K5LIVzRvINmKxqDI2x84c 2WYPEQKBgAU26m/CfLEANjrN2gHVXaBA6uKnUnyQBl99PXH/HOJ7g8o8OXJVJIDe taxXqti9HRcj+oSgKNlL4A4W7pUmDh5sv6tHIx16MVoJO++2CjQN8V+m9DjPlgEx +UVmw9npr/ilfWf3MnrUdl/MefdPUDZQ9rMIaDvX3VFA9H1KsJqv -----END RSA PRIVATE KEY-----
Expected behavior It shouldn't expose that key publicly as it's case sensitive and should be removed from the repo
Screenshots
Desktop (please complete the following information):