A researcher has discovered application source code and private login keys to back end systems on GitHub repositories.
The accusation comes from IT pro Jason Coulls, who, according to the online news service The Register, recently discovered the unprotected folders of data belonging to Scotiabank.
“These repositories featured, among other things, software blueprints and access keys for a foreign exchange rate system, mobile application code, and login credentials for services and database instances,” the news story says. It describes the files as “a potential gold mine of vulnerabilities for criminals and hackers to exploit.”
According to the report Scotiabank spent the last couple of days tearing down the GitHub repositories, which it believes were inadvertently left open to the public, after being told by The Register.
A spokesperson for Scotiabank was asked this morning to explain how the incident happened and the bank’s policy for developers using GitHub. In reply the bank said “the information we identified that was posted on an online data repository does not contain information that would put our customers, employees and partners at risk. Our technical teams are working to remove the information.”
Canadian banks have to report security incidents to the regulator, the Office of the Superintendent of Financial Institutions. Colin Palmer, a communications officer for the OSFI said in an email that “when situations such as this arise, we are informed, will monitor the situation closely and ask for any clarifications if required.”
He said that for confidentiality reasons the OSFI won’t comment further.
GitHub is a site that hosts a software version control called Git where developers can collaborate on applications. Bought by Microsoft last year, it’s a highly popular service.