GithubBug导致部分用户密码明文暴漏给内部员工

上周国外多家媒体报道，在 Github 内部的日志系统中，部分用户的密码以明文的形式暴漏给了内部员工。

经整理，事件始末如下：

Github 上周二向部分用户发送了一封电子邮件，通知由于密码重置功能出现故障，导致其内部日志明文记录了某一时间段用户在进行密码重置时的密码。目前 Bug 已修复，但这一部分的用户需要再次重置密码才能访问帐户。

邮件中，GitHub 还表示这些密码大多数 GitHub 员工是无法访问的，更不会被公众或其他 GitHub 用户访问到。GitHub 不会故意以明文格式存储密码，也没有被黑客入侵或以任何方式泄密。

邮件全文如下：

During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users' passwords to our internal logging system, including yours. We have corrected this, but you'll need to reset your password to regain access to your account.

GitHub stores user passwords with secure cryptographic hashes (bcrypt). However, this recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset. Rest assured, these passwords were not accessible to the public or other GitHub users at any time. Additionally, they were not accessible to the majority of GitHub staff and we have determined that it is very unlikely that any GitHub staff accessed these logs. GitHub does not intentionally store passwords in plaintext format. Instead, we use modern cryptographic methods to ensure passwords are stored secure in production. To note, GitHub has not been hacked or compromised in any way.

You can regain access to your account by resetting your passwords using the link below::

https://github.com/password_reset

最初，许多用户在收到邮件后以为这是一个大规模的网络钓鱼攻击，并在 Twitter 上晒起了截图。之后才确定是官方发送的邮件，也因此引起了许多媒体的关注和报道。

更多关于此事件的详细报道请看国外媒体：gizmodo、zdnet、whatsnew2day

【声明】文章转载自：开源中国社区 [http://www.oschina.net]

以上就是本文的全部内容，希望对大家的学习有所帮助，也希望大家多多支持 我们