iyanuashiri's comments

iyanuashiri · on May 14, 2018

Thanks. Checking it out

solox3 · on May 14, 2018

Old commits are still showing the credentials. Recommend following this guide to erase your .env from all commits.

https://help.github.com/articles/removing-sensitive-data-fro...

krageon · on May 14, 2018

It's too late now in any case. Removing them is cute, but in terms of security credentials can only be rotated now. Removing them doesn't help when someone has already pulled that history previously.

bausshf · on May 15, 2018

You should still do it for future references

iyanuashiri · on May 14, 2018

Thank you for this. I will do that ASAP

dwightgunning · on May 14, 2018

Just a heads up (since I work at getstream.io) that you can easily and quickly rotate the Stream app key/secret via the dashboard.

Feel free to contact our support or myself directly - dwight@getstream.io - if you need a hand.

mynewtb · on May 14, 2018

Do you have no process ready to rotate a user's exposed credentials? It's what I would expect from any service provider once they become aware of an exposure.

patrickbolle · on May 14, 2018

Isn't this exactly what he explained? The user has a easy toggle on their dashboard to rotate credentials - and if he needs a hand with it, contact their support for some help.

detaro · on May 14, 2018

I think the parents question was why they wait for the customer to do something instead of blocking/rotating the compromised credentials once they became aware of their existence.

E.g. I remember reading that Amazon even scans Github for AWS credentials proactively now, since this happened all the time.

badestrand · on May 14, 2018

Obviously they don't want to break their customer's production system without asking.

e12e · on May 14, 2018

True. It should be in the TOS that exposed api keys are subject to being revoked to prevent abuse. At least for certain services, and certain types of tokens.