Production secret key leak in config/secrets.yml
State Informative (Closed)
Disclosed publicly 2019-01-08T07:55:23.269Z
Reported To
Weakness Cleartext Storage of Sensitive Information
Bounty
Collapse

Summary by phreak

We have recently received a lot of duplicate reports related to keys specified in the following URL:

https://github.com/grab/blogs/blob/master/2017-01-29-deep-dive-into-database-timeouts-in-rails/config/secrets.yml

The given key is a demo boilerplate that has been used to explain Database Timeouts in Rails blog post at our Grab Engineering blog and is not used any where in production.

Timeline
submitted a report to Grabtaxi Holdings Pte Ltd .
2018-12-06T17:46:45.164Z

Summary:
Production secret key leak in config/secrets.yml

Description:
In Github, http://engineering.grab.com/ secret_key_base is leaked which is present in the config/secrets.yml

Steps To Reproduce:

  1. Go to the below GitHub URL and we can verify that secret_key_base is present. https://github.com/grab/blogs/blob/master/2017-01-29-deep-dive-into-database-timeouts-in-rails/config/secrets.yml

Mitigation:-

https://medium.com/@thejasonfile/hide-your-api-keys-hide-your-skype-api-keys-884427746f9c

Impact

Proper Impact is explained here:-
https://stackoverflow.com/questions/44220691/rails-what-are-the-consequences-of-a-leaked-secret-key-base

Regards,
Frans

avicoder- Activities::BugInformative
2018-12-07T07:25:32.484Z
Hey @phreak, Thanks for bringing this to our attention. The given key is from a demo boilerplate that has been used to explain *Database Timeouts in Rails* in this blog - `https://engineering.grab.com/deep-dive-into-database-timeouts-in-rails.` Therefore it does not appear to be any security implications as a direct result of this behavior. If you disagree, please reply with additional information describing your reasoning. Including a working proof-of-concept can be incredibly helpful in our assessment of these claims. ~ @avicoder-


prakhar-prasad Activities::AgreedOnGoingPublic
2019-01-08T07:55:10.974Z


prakhar-prasad Activities::ManuallyDisclosed
2019-01-08T07:55:23.225Z