We have recently received a lot of duplicate reports related to keys specified in the following URL: `https://github.com/grab/blogs/blob/master/2017-01-29-deep-dive-into-database-timeouts-in-rails/config/secrets.yml` The given keys are demo boilerplate that has been used to explain *Database Timeouts in Rails* blog post at our Grab Engineering blog and is not used any where in production.

Actions:

View on HackerOne

Reported by phreak

Vulnerability Details

Technical details and impact analysis

Cleartext Storage of Sensitive Information

**Summary:** Production secret key leak in config/secrets.yml **Description:** In Github, http://engineering.grab.com/ secret_key_base is leaked which is present in the config/secrets.yml ## Steps To Reproduce: 1. Go to the below GitHub URL and we can verify that secret_key_base is present. ``` https://github.com/grab/blogs/blob/master/2017-01-29-deep-dive-into-database-timeouts-in-rails/config/secrets.yml ``` Mitigation:- ``` https://medium.com/@thejasonfile/hide-your-api-keys-hide-your-skype-api-keys-884427746f9c ``` ## Impact Proper Impact is explained here:- https://stackoverflow.com/questions/44220691/rails-what-are-the-consequences-of-a-leaked-secret-key-base

Report Details

Additional information and metadata

State

Closed

Substate

Informative

Submitted

Weakness

Cleartext Storage of Sensitive Information