This is not a language/framework based issue. This is an issue with careless and/or uneducated developers.
This is like people storing plain text passwords in publicly readable txt files on a server. It's not a problem with FTP, HTML, Apache (pick anything you'd like) it's a problem with people making poor decisions.
Before we all grab our pitchforks, I have just gone through the entire first page of results and a huge majority of them were explicitly noted as test applications. Sometimes you can see this in the names:
I certainly agree that we should all be security conscious, but I'm also a fan of keeping perspective. Things are bad, but let's keep the truth in mind too.
Also, for the ones that were not test apps, they may be the testing/development secret keys which are different from the production secret keys. I do this myself, where the hash salt and API keys for my local development server are different from those I use on my production server.
12 comments
[ 2.9 ms ] story [ 35.8 ms ] threadYou can check in things that shouldn't be checked in with any language/framework.
If you have done this, here's how to fix it: http://help.github.com/remove-sensitive-data/
https://github.com/search?q=FB_SECRET&repo=&langOver...
Not really a "vulnerability" because you can't keep stupid people from giving out their secret key.
This is like people storing plain text passwords in publicly readable txt files on a server. It's not a problem with FTP, HTML, Apache (pick anything you'd like) it's a problem with people making poor decisions.
I certainly agree that we should all be security conscious, but I'm also a fan of keeping perspective. Things are bad, but let's keep the truth in mind too.
"Is storing your private key in a public repository a security concern?"
It's a parody of a security question. This is a needless distraction in an important discussion.