Hacker News new | past | comments | ask | show | jobs | submit login

Note that this was published back in May 2012, so it's not entirely recent (which is OK, just thought I would note it). However, this seems to have been public by February 2011 (http://stackoverflow.com/questions/5132152/when-you-have-sec...). I don't think the issue is entirely widespread, and a different key is likely used for production.



Yes, it is an old issue, the problem is that it's still there. Developers keep doing it for production, it is common knowledge for people involved in security, but not for developers, which is worrying. Take a look at this results http://www.lmgtfy.com/?q=inurl:secret_token+filetype:rb#


I have no problem with old issues or vulnerabilities being posted, of course, especially when they are very widespread such as in this case.

Note that not all of those results are necessarily vulnerable, for example, https://github.com/hotsh/rstat.us/blob/master/config/initial... loads the secret key from the environment, and https://github.com/GreenplumChorus/chorus/blob/master/config... loads it from an ignored file (like the article). I would estimate the real number of projects to be somewhere less than 3000, with about 1400 being on Github. This also assumes that these are all actually production keys.

Just to reiterate, I do believe that this is a legitimate problem even now, but I just wanted to note the age of the article and to refute the claim that this is the first mention of the issue.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: