๐Ÿšจ critical ๐Ÿ” Cryptographic Nightmares

baltany.co.uk

Both RSA public and private keys published to DNS

$ dig TXT baltany.co.uk

;; QUESTION SECTION:

;baltany.co.uk. IN TXT


;; ANSWER SECTION:

baltany.co.uk. 3600 IN TXT "-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNA...[REDACTED] -----END PUBLIC KEY----- -----BEGIN RSA PRIVATE KEY----- [REDACTED FOR SAFETY] -----END RSA PRIVATE KEY-----"

What Happened

Another catastrophic security failure: baltany.co.uk published both their BEGIN PUBLIC KEY and BEGIN RSA PRIVATE KEY to the global DNS zone. Anyone with a DNS resolver โ€” which is everyone with an internet connection โ€” could query these records and exfiltrate the private key. The private key has been redacted in our display.

Full TXT Record Value
-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNA...[REDACTED] -----END PUBLIC KEY----- -----BEGIN RSA PRIVATE KEY----- [REDACTED FOR SAFETY] -----END RSA PRIVATE KEY-----