How I accidentally got access to the secret keys to NBC’s websites

We use Github extensively here at BookingBug and I, like many of you, have a github.com account. For those not in the know, it’s a fantastic SaaS that helps you host and track changes to your codebase in online repositories, which you can have as either public or private.

However, as a shared platform, it relies on unique usernames to give access to your team’s projects, much in the same way as a twitter ID. Since I was a fairly early user, I actually have the account name “Glenn” https://github.com/Glenn.

“Glenn” is not the most common name in the world, nor is it the most uncommon. And the problem with GitHub is that if you have a “private repository” of your code and want to give access to a colleague or teammate, you simply type their username. So, occasionally someone just adds “Glenn” to their project instead of a username like “Glenn87” and I get notified that I’m suddenly added to someone’s private repository.

This has happened a few times to me, and in the past it’s just been to someone’s pet project — I think the last time was a little Role Playing Game that someone was writing, nothing serious.

But then this morning I was added to a new repository, this one a little more exposing. It wasn’t a code base, which is what GitHub is normally used for, but a collection of configuration files.

In this case, it was the configuration for some continuous integration build scripts.

Including the secure Amazon Web Services secret keys and access token to their servers.

For all of the websites of NBC Universal.

Oh, Shit.

SaaS security github

For all of the security, NBC has in-house, for all of their layers of protection and passwords, some poor project or IT guy just mailed all of the keys to NBC’s servers to the wrong guy in one mistyped username.

At this point, I’m slightly terrified. What if some NBC lawyer, who doesn’t understand how the internet or cloud services work, suddenly accuses me of hacking their servers? As the CEO of a UK-based company selling to US enterprises, I kind of live in permanent fear of American lawyers at the best of times!

I’ve reached out to NBC for comment, and obviously wouldn’t dream of doing anything with the keys — although plastering all of NBC’s web sites with BookingBug adverts could be tempting! (That’s a joke for any lawyers reading with no sense of humour).

Similarly to accidentally finding a set of house keys on the street -– finding the keys is not a crime, using them to burgle someone house definitely is! I don’t actually know what level of access these keys would give me -– and I’m not about to try them and find out. Luckily the great thing about much of the tech community is (for the most part) we’re a friendly, honest and helpful bunch…

However, this does highlight the dangers of mismanaged cloud services and is exactly the kind of balls up that could put a dent in last 10 years of progress SaaS vendors have made.

Cloud-based tools are a fantastic way for an organisation of any size to reduce the cost and admin of all kinds of internal and external software platforms. Used effectively, they can be secure, powerful and easy to manage. However, like any tool, cutting costs and cutting corners leads to risk.

At BookingBug, we offer SaaS booking and appointment systems on a variety of levels. We have fully shared platforms where millions of users are booking on the same set of servers and database, with things like logins common across the whole platform. For larger enterprises, we also offer fully secure custom Virtual Private Clouds, where all your data is locked down and the only users with access are your own internal teams.

However sometimes companies like to keep costs down and, rather than run a secure platform, they take the cheaper route and use an open shared platform.

As a vendor of cloud SaaS – I’m obviously a big fan and supporter of correctly managed cloud services but, like any tool, cutting costs and reducing security creates risk.

And finally to NBC I’d definitely ask: why the hell did you put your secret keys on a GitHub.com repo in the first place?