Exposed RSA Private Key found on android.googlesource.com corresponding to Android's Bluetooth System [368478722]

Assigned

Bug

Status Update

No update yet.

Description

rk...@gmail.com

created issue #1

Sep 20, 2024 08:37PM

Hi Google Team,

I came across a page on

android.googlesource.com which contains source code for Android's Bluetooth system. The page contains exposed Private keys and Certificate Key corresponding to the project.
The link to the code is:

https://android.googlesource.com/platform/system/bt/+/aeda81c1d52caa50c32b1127dd4033fda231581f%5E2..aeda81c1d52caa50c32b1127dd4033fda231581f/

The author of the page is "rahulsabnis@google.com" and the project owners are:
zachoverflow@google.com
-apanicke@google.com
cmanton@google.com
hsz@google.com
jpawlowski@google.com
mylesgw@google.com
optedoblivion@google.com
+rahulsabnis@google.com
siyuanh@google.com
stng@google.com

Please validate the exposed private & certificate keys on the website and bring it down and take appropriate actions.

I have also added snippets of the exposed keys.

Exposed Key 1.png

685 KB

View

Download

Exposed Key 2.png

456 KB

View

Download

Exposed Key 3.png

643 KB

View

Download

Comments

rk...@gmail.com <rk...@gmail.com> #2Sep 29, 2024 06:49PM

Forgot to note the environment.
This crash occurs on only API 21.

Issue 368478722

Description

Issue summary

Comments

rk...@gmail.com <rk...@gmail.com> #2Sep 29, 2024 06:49PM

Add comment

Issue metadata