Toyota left their access key in a public GitHub repository for 5 years. That’s right, five years. This code is related to their T-connect service. Here is the article, courtesy of Infosecurity Group Magazine.
A couple of thoughts here- this is the result of an error that was made by a contract website development professional. It’s an error that is easy to make. But how can it be prevented?
- Make it policy that sensitive data is not stored as code/config in GitHub.
- Audit for slipped secrets using GitRob or another similar tool.
- Have your app assessed for security flaws as often as possible.
- Always audit a project’s history for sensitive information before pushing it to GitHub.
It’s impossible to keep attackers out of your stuff permanently, so do yourself the favor of taking steps to make it harder to get in and harder to stay. Avoid the cat voodoo.