13 October 2021

Microsoft, GitHub, GitLab, and BitBucket revoke insecure SSH keys


Microsoft, GitHub, GitLab, and BitBucket revoke insecure SSH keys

Microsoft Azure DevOps, GitHub, GitLab, and BitBucket, four of the largest code hosting portals to date, have all issued a mass recall of SSH keys following a report about a vulnerability in GitKraken, a popular Git software client.

The decision to revoke SSH keys was made after GitKraken engineering team contacted Git hosting service providers about the issue. The bug, which was discovered in late September by the GitKraken team, resides in the open source SSH key generation library that was implemented in GitKraken versions 7.6.x, 7.7.x, 8.0.0, released between 5-12-21 and 9-27-21.

The vulnerability exists due to an error in the pseudo-random number generator used by keypair to generate RSA keys for SSH connections. A remote attacker can generate duplicate SSH keys and gain unauthorized access to the affected systems.

The vulnerability was fixed with the release of GitKraken 8.0.1. However, the GitKraken team has warned that users who upgraded to a new version will still need to replace their GitKraken generated keys if they were generated in the affected versions.

Users who are not sure what version they used to generate their SSH key, are recommended to renew the key by doing the following:

1. Remove all old GitKraken-generated SSH keys stored locally.

2. Generate new SSH keys using GitKraken 8.0.1, or later, for each of your Git service providers.


Back to the list

Latest Posts

Hackers steal over $120 million in crypto from DeFi project BadgerDAO

Hackers steal over $120 million in crypto from DeFi project BadgerDAO

The attackers stole more than 2,100 Bitcoin and 151 Ether from Badger user accounts.
3 December 2021
Hackers actively exploiting critical Zoho ManageEngine ServiceDesk Plus flaw to drop web shells

Hackers actively exploiting critical Zoho ManageEngine ServiceDesk Plus flaw to drop web shells

According to the FBI and CISA, threat actors have been exploiting the bug since late October 2021.
3 December 2021
Former Ubiquiti dev tried to extort his employer posing as a hacker

Former Ubiquiti dev tried to extort his employer posing as a hacker

Nickolas Sharp allegedly stole gigabytes of confidential data from the company and used it to demand nearly $2 million in ransom.
3 December 2021