GitHub search exposes uploaded credentials
Users of the GitHub project hosting system have been reminded not to upload sensitive information to the system's Git repositories. The reminder comes after GitHub launched a new search service based on elasticsearch. The launch of the service sent people off searching the code and, as people tend to do, they searched for private information. Various searches for terms such as "BEGIN RSA PRIVATE KEY" were revealing many people had, in fact, been uploading private keys.
One security researcher spotted what appeared to be an ssh password for a "major, MAJOR website in China", while other searchers found tokens for web services. Reports that GitHub had taken down their search system because it was exposing this information appear to have been incorrect. It seems the elasticsearch cluster collapsed under the weight of searches as the ability to expose sensitive information was being discussed on Twitter and other sites. At the time of writing, the GitHub status page reads "Search remains unavailable. The cluster is recovering slowly and we continue to monitor its progress."
In the case of GitHub, and other revision control systems, the problem of exposed information is very persistent; even if you remove the current version of the sensitive data, there will still be its historical copies in the repository. GitHub offers guidance on removing that data by using git to purge it completely from the repository.
Search has always been a powerful tool in the hands of those looking for sensitive information such as passwords or keys. Search engines have been used to help locate vulnerable SCADA systems, expose embedded servers in devices, or just find passwords.