HackerTrans
TopNewTrendsCommentsPastAskShowJobs

thyrfa

no profile record

comments

thyrfa
·11 माह पहले·discuss
Not at that time though, right, considering it was dumped? You have changed since, which is good, but under a year ago had it as just an env var
thyrfa
·11 माह पहले·discuss
How can you guarantee that nobody ripped the private key before the researcher told you about the issue though?
thyrfa
·11 माह पहले·discuss
It is incredibly bad practice that their "become the github app as you desire" keys to the kingdom private key was just sitting in the environment variables. Anybody can get hacked, but that's just basic secrets management, that doesn't have to be there. Github LITERALLY SAYS on their doc that storing it in an environment variable is a bad idea. Just day 1 stuff. https://docs.github.com/en/apps/creating-github-apps/authent...