All news with #key leakage tag

Password Manager Auto-Fill Flaw, Quantum Risks, Devices

🔒 In this edition of the Smashing Security podcast Graham Cluley and guest Thom Langford examine how some password managers can be tricked into auto-filling secrets into cookie banners via a clickjacking sleight-of-hand. They discuss practical defenses for website owners and hardening steps for users to protect their personal vaults. The episode also covers post-quantum concerns—"harvest-now, decrypt-later"—Microsoft’s 2033 quantum-safe commitment, and device update risks including printers, plus lighter segments like a dodgy URL "shadyfier" and repurposing an iMac G4 as a media hub.

What 17,845 GitHub MCP Servers Reveal About Risk and Abuse

🛡️ VirusTotal ran a large-scale audit of 17,845 GitHub projects implementing the MCP (Model Context Protocol) using Code Insight powered by Gemini 2.5 Flash. The automated review initially surfaced an overwhelming number of issues, and a refined prompt focused on intentional malice marked 1,408 repos as likely malicious. Manual checks showed many flagged projects were demos or PoCs, but the analysis still exposed numerous real attack vectors—credential harvesting, remote code execution via exec/subprocess, supply-chain tricks—and recurring insecure practices. The post recommends treating MCP servers like browser extensions: sign and pin versions, sandbox or WASM-isolate them, enforce strict permissions and filter model outputs to remove invisible or malicious content.

Viacom Cloud Leak Exposed Master Controls and Keys

🔒 UpGuard researchers discovered on August 30, 2017 a publicly accessible Amazon S3 bucket named “mcs-puppet” containing seventy-two .tgz backup archives that included Puppet manifests, configuration files, keys, and credentials tied to Viacom. The repository exposed AWS access and secret keys, GPG decryption keys, and scripts referencing services such as Docker, Jenkins, Splunk, and New Relic. UpGuard notified Viacom on August 31, and the exposure was secured within hours. The incident demonstrates how cloud misconfigurations can reveal master provisioning controls and enable widespread infrastructure compromise.

Amazon Engineer Exposed Credentials via Public GitHub Repo

🔒 UpGuard discovered a public GitHub repository on 13 January 2020 containing an Amazon Web Services engineer’s personal identity documents and numerous system credentials. The repository included AWS key pairs (including a file named rootkey.csv), API tokens, private keys, passwords, logs, and customer-related templates. UpGuard reported the exposure to AWS Security within hours and the repository was secured the same day. The incident highlights how rapid leak detection can prevent accidental disclosures from escalating.

Amazon Engineer Exposed Credentials in Public GitHub Repo

⚠️ UpGuard identified on 13 January 2020 a public GitHub repository containing sensitive material tied to an Amazon Web Services engineer. The repo, roughly 954 MB when downloaded, included personal identity documents, bank statements, log files, AWS key pairs (including a file labeled rootkey.csv), private keys, passwords and third-party API tokens. UpGuard analysts detected the exposure within half an hour, notified AWS Security early that afternoon, and the repository was taken out of public view the same day. Rapid detection and remediation appear to have prevented escalation; there is no evidence of malicious intent or end-user data compromise.

Exposed NGA Data Linked to Booz Allen S3 Misconfiguration

🛡️ UpGuard analyst Chris Vickery discovered a publicly exposed S3 file repository containing credentials and SSH keys tied to systems used by US geospatial intelligence contractors. The plaintext data included access tokens and administrative credentials that could enable entry to systems handling Top Secret-level data. NGA secured the bucket rapidly after notification; Booz Allen Hamilton responded later. UpGuard preserved the dataset at government request.

Accenture Cloud Buckets Exposed Sensitive Credentials

🔓 UpGuard disclosed that Accenture left four Amazon S3 buckets publicly accessible, exposing sensitive Accenture Cloud Platform data including API keys, certificates, plaintext passwords, and private keys. The buckets — labeled acp-deployment, acpcollector, acp-software, and acp-ssl — contained credentials, VPN keys, logs, and large database dumps that included client information. After discovery on September 17, 2017, UpGuard notified Accenture and the buckets were secured the following day. This incident underscores how misconfigured cloud storage can endanger both vendors and their customers.

Engineering Firm Exposes Critical Infrastructure Data

⚠️ UpGuard discovered a public rsync repository exposing data from Power Quality Engineering (PQE), including client inspection reports, infrared imagery and plaintext internal passwords. The July 2017 exposure allowed downloads of hundreds of gigabytes via port 873 and revealed schematics for clients such as Dell, Oracle, Texas Instruments, and the City of Austin, including a SCIF layout. PQE secured the server after notification; the incident highlights the large risk of simple misconfigurations and third‑party vendor failures.