More than 900 of 2,622 active and valid TLS certificates matched with private keys inadvertently exposed on GitHub and DockerHub are used by Fortune 500 firms, government agencies, and healthcare providers, indicating a significant website security risk, reports HackRead.Despite the leak, only 16% of TLS certificates had details regarding the organizations that owned them, while almost 1,300 certificates remained anonymous even after additional website record scraping, domain ownership verification, and AI-assisted web crawling, findings from a joint Google and GitGuardian study revealed. More than 600 organizations were later given notification emails regarding TLS certificate exposure but only 9% sent a reply, with certain bug bounty programs even seeking researchers to offer proof regarding the threats of an exposed website private key.Researchers noted that coordination with certificate-issuing authorities eventually led to a 97% remediation rate. Such findings emphasize the importance of transitioning toward automatically rotating single-use keys, which could mitigate the impact of potential leaks, researchers added.
