Cyber Cat Voodoo

Toyota left their access key in a public GitHub repository for 5 years. That’s right, five years. This code is related to their T-connect service. Here is the article, courtesy of Infosecurity Group Magazine.

A couple of thoughts here- this is the result of an error that was made by a contract website development professional. It’s an error that is easy to make. But how can it be prevented?

• Make it policy that sensitive data is not stored as code/config in GitHub.
• Audit for slipped secrets using GitRob or another similar tool.
• Have your app assessed for security flaws as often as possible.
• Always audit a project’s history for sensitive information before pushing it to GitHub.

It’s impossible to keep attackers out of your stuff permanently, so do yourself the favor of taking steps to make it harder to get in and harder to stay. Avoid the cat voodoo.

Leave a Reply Cancel reply

Enter your comment here…

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out /  Change )

You are commenting using your Twitter account. ( Log Out /  Change )

You are commenting using your Facebook account. ( Log Out /  Change )

Cancel

Connecting to %s

Notify me of new comments via email.

Notify me of new posts via email.

Δ