有人發現華為開發人員將 LDAP Credential Push 上 GitHub 或與華為對外聲稱被 Hack 有關 🤦🏻♂️
It's interesting how @Huawei claims to be hacked by the US a few times. So I started looking at what is publicly available. The security team of @Huawei loves their @Splunk apps and push their LDAP network credentials to @github
— Victor Gevers (@0xDUDE) March 9, 2019
How do you say: "Please hack me?" in Chinese? 🤦♂️ pic.twitter.com/wxF7nUlhgr
Credential Commit 落 Git 究竟係有心定無意?
不過係咪特登都好,將 Secret/Credential Commit 落 Git 一定係 Poor Practice,大家千其唔好學!
一般做 Secret / Credential 嘅方法離不開:
- Environment variable
- Secret file
- Hashicorp Vault (Advance)
最低要求係 Access 到 Production Server 先拎到你啲 Secret,再高要求啲可能係 Production Server 每個 Application 只可以 Access 到自己嘅 Secrets。例如你其中一個 Application 有漏洞可以被人行 Remote Script 都唔會 Compromise 其它 Application in SAME Production Server
#講真
#作為 Developer 見到 Credential 一定想試下入唔入到先