Skip to main content

Ex-Employee Private Code Repository Accounts: A Breach Waiting to Happen?

Illustration of Ex-Employee Private Code Repository Accounts: A Breach Waiting to Happen?
Adam Borczyk

A recent application audit revealed several concerns regarding source code management practices. The most significant finding involves the storage of code in a private GitHub repository that remains tied to a former employee’s account. This configuration poses potential risks to code access and management.

Screenshot of repository analysis

As an auditor, I decided to conduct a deeper analysis of this finding.

Why is this a problem?

During the analysis of the application’s code, it was discovered that the repository’s history contains a previously deleted .env file containing the encryption key for the application’s data. While this file is not visible in the current file listing, it remains recoverable through the .git directory’s commit history. Additionally, this same encryption key is currently in use within the application’s testing environment.

Screenshot of encryption key

This situation means that the security of the application’s code and data may rely entirely on the configuration of the former employee’s private account and his or her approach to secure information management. The client has no control over the code, which creates a risk of unauthorized access.

Potential security breaches would require access to the former employee’s account. This could happen as a result of another attack, such as phishing or password compromise by other means.

Technical details

During the analysis, several actions were taken that confirmed the existence of the risk:

  1. Account activity: The former employee’s GitHub account shows ongoing activity in various projects, demonstrating that the account remains active and outside organizational control.

Screenshot of account activity

  1. Commit history: The repository’s commit history indicates that the last commit was made approximately one year ago, coinciding with the end of the employee’s tenure at the company

Screenshot of commit history

  1. Social Media Analysis: A review of the former employee’s LinkedIn profile confirms their departure from the company approximately one year ago, creating potential data security risks due to continued repository access.

Screenshot of LinkedIn profile

RECOMMENDATIONS

Repository Management

  • Migrate all source code to company-controlled infrastructure to establish complete repository oversight and access control
  • Implement regular access audits of critical resources, particularly source code repositories, to prevent unauthorized access
  • Enforce two-factor authentication (2FA) for all repository access
  • Implement branch protection rules to prevent direct pushes to main branches

Security Controls

  • Establish a robust encryption key rotation policy with immediate key replacement protocols during security incidents
  • Provide a secure, company-controlled work environment for all development activities
  • Store all sensitive credentials in specialized key stores, not in repositories
  • Deploy automated code scanning tools to detect security vulnerabilities
  • Implement secure development practices and coding guidelines

Access Control Automation

  • Deploy an automated access management system that synchronizes with HR processes to immediately revoke permissions upon employment termination
  • Implement Data Loss Prevention (DLP) systems to monitor and control sensitive data movement across the organization
  • Implement granular role-based access control (RBAC) with the principle of least privilege
  • Create dedicated user groups for repository access to better manage permissions
  • Regularly review audit logs and repository activity

Other Insights

Illustration of From SPI Sniffing to Keys: Extracting Clevis/BitLocker Secrets from TPM Traffic #HardwareHacking

From SPI Sniffing to Keys: Extracting Clevis/BitLocker Secrets from TPM Traffic #HardwareHacking

Mateusz Lewczak

In September 2024, a real-world penetration test was conducted to assess the security of a laptop using LUKS disk encryption on Linux, with Clevis facilitating automatic disk unlocking. The tested device relied on a TPM (Trusted Platform Module) to secure the decryption key used by Clevis. The focus of the test was to explore potential vulnerabilities to SPI Sniffing attacks.

READ article
Illustration of Symfony Profiler in Production – An Entry Point for Sensitive Data Leaks and Remote Code Execution

Symfony Profiler in Production – An Entry Point for Sensitive Data Leaks and Remote Code Execution

Jakub Żoczek

During a security audit, a web application using an outdated version of the Symfony framework was identified. The analysis revealed the presence of the Symfony Profiler tool, which is commonly used for debugging applications during development. The Profiler provides detailed information about the application's operation, which is useful for developers. However, in a production environment, its availability can lead to the disclosure of sensitive information and, in some cases, remote code execution on the server.

READ article
A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?

Happy to get a call or email
and help!

Contact Us