A security researcher warned Asus two months ago that employees were improperly publishing passwords in their GitHub repositories that could be used to access the company’s corporate network.
One password, found in an employee repo on the code sharing, allowed the researcher to access an email account used by internal developers and engineers to share nightly builds of apps, drivers and tools to computer owners. The repo in question was owned by an Asus engineer who left the email account’s passwords publicly exposed for at least a year. The repo has since been wiped clean, though the GitHub account still exists.
“It was a daily release mailbox where automated builds were sent,” said Jelle Ursem, who found the data, in a message to TechCrunch. Emails in the mailbox contained the exact internal network path where drivers and files were stored.
The researcher shared several screenshots to validate his findings.
Ursem didn’t test how far the account access could have given him, but warned it could have been easy to pivot onto the network. “All you’d need is send one of those emails with an attachment to any of the recipients for a real nice spearphishing attack,” he said.
The researcher’s findings would not have stopped the hackers who targeted Asus’ software update tool with a backdoor, revealed this week, but reveals a glaring security lapse that could have put the company at risk from similar or other attacks. Security firm Kaspersky warned Asus on January 31 — just a day before the researcher’s own disclosure on February 1 — that hackers had installed a backdoor in the company’s Asus Live Update app. The app was signed with an Asus-issued certificate and hosted on the company’s download servers. More than a million users were pushed the backdoored code, researchers have estimated. Asus confirmed the attack in a statement and released a patched version.
Through the company’s dedicated security email, Ursem warned Asus of the exposed credentials. Six days later, he could no longer log in to the mailbox and assumed the matter was resolved.
But he found at least two other cases of Asus engineers exposing company passwords on their GitHub pages.
One Asus software architect based in Taiwan — where the company has its headquarters — left a username and password in code on his GitHub page. Another Taiwan-based data engineer also had credentials in his code.
“Companies have no clue what their programmers do with their code on GitHub,” said Ursem.
A day after we alerted Asus to the researcher’s email, the repos containing the credentials were pulled offline and wiped clean. Yet when reached, Asus spokesperson Randall Grilli told TechCrunch that the computer maker was “unable to verify the validity” of the claims in the researcher’s emails. “Asus is actively investigating all systems to remove all known risks from our servers and supporting software, as well as to ensure there are no data leaks,” he added.
Granted, this isn’t an issue limited to Asus. Other companies have been put at risk by exposed and leaked credentials or hardcoded secret keys. Last week, academics found more than 100,000 public repos storing cryptographic keys and other secrets.
Among the most famous examples of exposed credentials was Uber, in which an engineer mistakenly left cloud keys in a GitHub repository, which when discovered and exploited by hackers was used to pilfer data on 57 million users. Uber was later ordered to pay $148 million in a data breach settlement.
But given Asus knew of the issues months ago amid a backdoor threat that affected more than a million users, you would have hoped for a better, more active response.