An Internal Code Repo Used by New York State’s IT Office was Exposed Online

A code repository used by the New York State Government’s IT department was open to the Internet, allowing anyone inside to access projects, some of which contain secret keys and passwords related to state government systems. On Saturday, Dubai-based Spidersilk, the open Gitlab server, was discovered by Samsung, Clearview AI and a cybersecurity firm submitted for the discovery of data spills on MoviePass.

Companies use GitLab to collaboratively develop and store their source code – as well as the secret keys, tokens and passwords needed to make projects work – in the things that control them. However, the open server was accessible and configured from the Internet so that anyone outside the organization could create an account and login without pressure, Spieserilk’s Chief Security Officer Mosab Hussain told TechCrunch. When TechCrunch visited the GitLab server, the login page showed that it was accepting new user accounts. It is not known exactly how long the GitLab server was accessible in this way, but historical records from search engines exposing exposed devices and databases show that on March 18, GitLab was first caught on the Internet.

Spidersilk shared a number of screenshots showing that the GitLab server contains secret keys and passwords related to New York State IT services and databases. The startup sought help in declaring security abolition in the state, fearing that the open server might be accessed or compromised. TechCrunch alerted the New York governor’s office to exposure shortly after the server was found. Several emails were opened to the governor’s office with details of the open GitLab server, but they did not respond. The server went offline, on Monday afternoon.

Scott Reef, a spokesman for the Office of Information Technology Services in New York State, said the server was “a test box set up by a vendor, has no information and has already been canceled by ITS.” (Reef has declared his response “in the background” and is liable to a state official, for whom both parties may agree to the terms in advance, but we are printing the answer as we do not have the opportunity to refuse the terms.) When asked, the rift does not say who the vendor is or the server’s passwords have been changed. A number of projects on the server were marked shorthand for “prod,” or “for production,” a term for actively used servers. Reef also did not say whether the incident was reported to the state’s attorney general’s office.