How I Tripped Over the Debian Weak Keys Vulnerability (
from tedu to cloudsec on 09 Apr 2024 18:57

Eventually, after more than a little debugging, we discovered that, somehow, there were two users with keys that had the same key fingerprint. This absolutely shouldn’t happen – it’s a bit like winning the lottery twice in a row – unless the users had somehow shared their keys with each other, of course. Still, it was worth investigating, just in case it was a web application bug, so the GitHub team reached out to the users impacted, to try and figure out what was going on.

#cloudsec #random

threaded - newest