GitHub's deleted and private repositories could be accessible to "anyone" and pose a potential security risk if they contain highly sensitive data, cybersecurity investigators have claimed.
Researchers from Truffle Security have allegedly found 40 API keys belonging to a unnamed AI company inside a deleted fork on Github.
They claimed that any data stored in accessible repositories could be "an enormous attack vector for all organisations that use GitHub", warning that companies could "inadvertently" expose "confidential data and secrets".
"The average user views the separation of private and public repositories as a security boundary, and understandably believes that any data located in a private repository cannot be accessed by public users," Truffle Security wrote.
"Unfortunately... deleting a repository or fork does not mean your commit data is actually deleted."
READ MORE: Mike Hanley, CSO, GitHub on “guns, gates, guards”, AI, ignoring the “flashy stuff”
The alleged issue relates to pre-existing rules in Github. Whenever someone forks a public repository on GitHub, they create a new copy on which they can freely experiment and make changes without affecting the original.
When a user deletes a public repository, one of the existing public forks is chosen to be the new "upstream" repository.
Truffle Security claimed: "However, all of the commits from the 'upstream' repository still exist and are accessible via any fork."
It added: "You can access data from deleted forks, deleted repositories and even private repositories on GitHub."
The claims have sparked impassioned discussion on forums and social media, with some people saying that people should already be aware of the alleged issue, and others calling for Github to take action.
"None of this seemed surprising to me, perhaps because I've made PRs [private repositories], seen that PRs from deleted repositories are still visible, and generally have this mental model of 'a repository fork is part of a network of forks, which is a shared collection of git objects'," a commenter wrote on Hacker News.
"If people are surprised by this - and clearly a non-trivial number of people are - then even if the behavior works as intended it should be indicated in the UI at critical points," another said.
The advice to anyone worried about security is simple: rotate your keys.
"If you published a key, you must assume someone copied it and that deleting references to it is not sufficient," a Hacker News commenter advised. "You must rotate that key now, and should check whether it was used improperly. This is pretty basic incident response."
On X, a user called Mark O'Neill told his 7,000 followers: "I am so so sorry, CTO’s, I know it has been a tough week with CrowdStrike and Intel but you may now need to rapidly change ALL your API keys."
A Github spokesperson said: "GitHub is committed to investigating reported security issues. We are aware of this report and have validated that this is expected and documented behavior inherent to how fork networks work. You can read more about how deleting or changing visibility affects repository forks in our documentation."
