Wednesday, July 7, 2021

GitHub Copilot and API Keys

Mohammed Abubakar:

For starters, it’s an assistant that can help you with better code suggestions, but it has been recently brought to notice that the AI is leaking API keys that are valid and still functional.

First reported by a SendGrid engineer, he asked the AI for the keys, and it showed them.

Linus Groh:

@GitHubCopilot gave me a staging.airbnb.com/api link with a key that still works (and stops working when changing it), so...

Airbnb haven’t noticed they leaked that somewhere OR GitHub is feeding private code to Copilot OR somehow it’s intentionally public.

Previously:

1 Comment RSS · Twitter

Or it's accidentally public. People do this kind of thing by mistake sometimes. I suspect that in this case Copilot is bringing new attention on an existing problem. Any site that issues API keys should probably be testing Copilot to see if any turn up, and then dealing with the leaked keys.

Leave a Comment