Github官方近日承认,由于失误导致一部分用户的密码被以明文的方式暴露了,但只有少数员工看到了这部分密码。
Github 部分帐号密码移明文形式暴漏
上周国外多家媒体报道,在 Github 内部的日志系统中,部分用户的密码以明文的形式暴漏给了内部员工。经整理,事件始末如下:
Github 上周二向部分用户发送了一封电子邮件,通知由于密码重置功能出现故障,导致其内部日志明文记录了用户在进行密码重置时的密码。目前 bug 已修复,但这一部分的用户需要重置密码才能访问帐户。
邮件中,GitHub 还表示这些密码大多数 GitHub 员工是无法访问的,更不会被公众或其他 GitHub 用户访问到。GitHub 不会故意以明文格式存储密码,也没有被黑客入侵或以任何方式泄密。
邮件全文如下:
During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users' passwords to our internal logging system, including yours. We have corrected this, but you'll need to reset your password to regain access to your account.
GitHub stores user passwords with secure cryptographic hashes (bcrypt). However, this recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset. Rest assured, these passwords were not accessible to the public or other GitHub users at any time.
Additionally, they were not accessible to the majority of GitHub staff and we have determined that it is very unlikely that any GitHub staff accessed these logs. GitHub does not intentionally store passwords in plaintext format. Instead, we use modern cryptographic methods to ensure passwords are stored secure in production. To note, GitHub has not been hacked or compromised in any way.
You can regain access to your account by resetting your passwords using the link below::
https://github.com/password_reset
最初,许多用户在收到邮件后以为这是一个大规模的网络钓鱼攻击,并在 Twitter 上晒起了截图。之后才确定是官方发送的邮件,也因此引起了许多媒体的关注和报道。
GitHub 官方解释
对于造成这一漏洞的原因想必大家都比较好奇,根据 GitHub 官方的解释,他们是使用 bcrypt(一种更强大的密码散列算法)来存储用户密码,由于配置错误,导致他们的安全内部日志在用户启动密码重置时记录明文用户密码。
泄露事件回顾
2016 年 6 月,GitHub 遭到了密码复用攻击, 重置了攻击者成功访问的所有账号密码,当时有用户使用了 LinkedIn/Dropbox/MySpace 安全泄露事件中的用户名和密码对 Github 进行了撞库攻击,相关信息可以看这里:
https://www.oschina.net/news/74443/github-encounter-password-reuse-attack
2016 年 11 月,GitHub 的 800 万用户信息从 GeekedIn 的 MongoDB 泄露,相关信息可以看这里:
https://www.oschina.net/news/79164/8-million-github-profiles-were-leaked