GitHub recalls SSH keys to increase privacy in third-party apps

The problematic dependency, “keypair,” is an open-source SSH key creation package that enables users to generate RSA keys for authentication purposes. GitKraken versions 7.6.x, 7.7.x, and 8.0.0, released between May 12, 2021, and September 27, 2021, have been found to be affected.

However, the flaw resulted in the development of a weaker form of public SSH keys, which, due to their low entropy — a measure of unpredictability — could increase the likelihood of key duplication.

In a Monday advisory, keypair’s maintainer Julian Gruber wrote, “This could enable an attacker to decode confidential messages or gain unauthorised access to a victim’s account.” Since then, the problem has been fixed in keypair version 1.0.4 and GitKraken version 8.0.1.

Axosoft developer Dan Suceava is credited with uncovering the security flaw, while GitHub security engineer Kevin Jones is credited with determining the bug’s cause and position in the source code. As of this writing, there is no evidence that the weakness has been used to breach accounts in the wild.

Affected users should evaluate and “delete all previous GitKraken-generated SSH keys stored locally,” as well as “create new SSH keys using GitKraken 8.0.1, or later, for each of your Git service providers,” including GitHub, GitLab, and Bitbucket, among others.