HackerTrans
TopNewTrendsCommentsPastAskShowJobs

thyrfa

no profile record

comments

thyrfa
·11 bulan yang lalu·discuss
Not at that time though, right, considering it was dumped? You have changed since, which is good, but under a year ago had it as just an env var
thyrfa
·11 bulan yang lalu·discuss
How can you guarantee that nobody ripped the private key before the researcher told you about the issue though?
thyrfa
·11 bulan yang lalu·discuss
It is incredibly bad practice that their "become the github app as you desire" keys to the kingdom private key was just sitting in the environment variables. Anybody can get hacked, but that's just basic secrets management, that doesn't have to be there. Github LITERALLY SAYS on their doc that storing it in an environment variable is a bad idea. Just day 1 stuff. https://docs.github.com/en/apps/creating-github-apps/authent...