In 2008, a major vulnerability in GitHub’s SSH login times was tackled by patching OpenSSH to lookup keys in a MySQL database. After the patch was implemented, users started accessing others’ repos over SSH, leading to the discovery of key collisions due to a Debian OpenSSL issue. Luciano Bello discovered the vulnerability, highlighting the importance of intense investigation in detecting major flaws. This incident also emphasizes the luxury of having time to deeply examine issues in the fast-paced tech industry. The story serves as a reminder to follow hunches and dedicate time to uncovering potential threats. If you want to support the author’s investigations, you can buy them a drink on ko-fi.
https://www.hezmatt.org/~mpalmer/blog/2024/04/09/how-i-tripped-over-the-debian-weak-keys-vuln.html