2700万程序员受影响？Github明文记录用户密码

2023-12-04 11:11:14 AnQuanKeInfo 来源：ZONE.CI 全球网 0 阅读模式

作者：dailydot@安全加beta

程序员依靠 Github 来安全地托管他们的开源软件项目。但近日 Github密码重置功能出现问题，日志中以明文形式记录了用户密码，这可能会让开发人员泄露他们的开发代码及相关敏感信息，并暴露在流行的存储库网站上。Github坚持认为只有Github的2700万用户中的一小部分受到影响。

Github密码重置功能出现漏洞日志中以明文形式记录了用户密码

来自dailydot的消息称，Github周二发送了一封电子邮件，警告其密码重置功能出现故障，该密码重置功能在日志中，以明文方式记录了用户密码。该网站确认这些密码只有少数该公司的员工可以访问日志。他们没有向公众发布或提供给其他用户。

Bleeping Computer报道，许多用户将他们收到的电子邮件发布到Twitter，尽管有人认为这是一个网络钓鱼活动。

哎呀，pic.twitter.com/Azj3i67zrJ

– ??????????? （@ olihough86）2018年5月1日

Whoah @ github似乎有#users #password问题。其他人都收到了吗？
pic.twitter.com/m8ybsanjBP

– SwitHak（@SwitHak）2018年5月1日

Github发布的邮件全文如下

During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users' passwords to our internal logging system, including yours. We have corrected this, but you'll need to reset your password to regain access to your account.

GitHub stores user passwords with secure cryptographic hashes (bcrypt). However, this recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset. Rest assured, these passwords were not accessible to the public or other GitHub users at any time. Additionally, they were not accessible to the majority of GitHub staff and we have determined that it is very unlikely that any GitHub staff accessed these logs. GitHub does not intentionally store passwords in plaintext format. Instead, we use modern cryptographic methods to ensure passwords are stored secure in production. To note, GitHub has not been hacked or compromised in any way.

You can regain access to your account by resetting your passwords using the link below::

https://github.com/password_reset