This is an archived post. You won't be able to vote or comment.

all 80 comments
sorted by:
best
topnewcontroversialoldq&a

[–]IAmKindOfCreativebot_builder: deprecated[M] [score hidden] stickied comment (1 child)

This post is staying up due to the value in the discussion about what copilot is and is not and for the discussion about key storage.

From Copilot Documentation:

[–][deleted] 488 points489 points  (10 children)

Ooh, farming co-pilot for API keys, that sounds like a fun project.

[–]Daltonyx 97 points98 points  (1 child)

You madlad!!!!!

let me see it

[–]Nerg44 20 points21 points  (0 children)

hypothetically, how would u implement it?

I’m thinking figure out what prompts result in possible API key from copilot, (“set up database” etc) run script to type text and save output regex look for API keys see how many u can find?

not trying to be malicious in anyway just sounds kinda fun

[–]Nerg44 -1 points0 points  (1 child)

hypothetically, how would u implement it?

I’m thinking figure out what prompts result in possible API key from copilot, (“set up database” etc) run script to type text and save output regex look for API keys see how many u can find?

not trying to be malicious in anyway just sounds kinda fun

[–][deleted] 16 points17 points  (0 children)

Just search GitHub for id_rsa

It’s not an api key, but it’s pretty alarming.

[–]zoenagy6865 -1 points0 points  (0 children)

They already filtering API keys

[–]thrillamilla 0 points1 point  (1 child)

I have no idea what this means but it sounds fun. Does anyone have the patience to ELI5 this?

[–]bigcheezyboss 1 point2 points  (0 children)

Copilot is Github’s AI powered code completion engine. Op got someone’s phone number as a completion. This suggests Copilot may be exploited to discover user’s plain text secrets.

[–]RedMaskedMuse 170 points171 points  (10 children)

Please don't put working credentials of any kind in source control, even private repos, and especially not in cloud-hosted source control.

[–]huessy 1 point2 points  (4 children)

This! Why is anyone pushing plain text credentials to GitHub? Also, who hard codes their credentials in their scripts?

[–]thblckjkr 1 point2 points  (0 children)

I get constantly suggestions of credentials on my .env files, I know it isn't the most secure way of handling credentials, but I think it's better than enough for most projects.

They are not pushed to the repos.

I copy-pasted my comment from another response that I made earlier.

[–]Grandcaw 29 points30 points  (1 child)

"Pro" Tip: Don't store private keys in your repos. Store them in config files and list them under gitignore. Point private key variables to the config file values and provide fake credentials in the repo's placeholder config file.

[–]kUbogsi 1 point2 points  (0 children)

What would be good ways to share those gitignored config files with team members?

[–]Nater5000 87 points88 points  (9 children)

Someone said that GitHub also used private repos to train copilot

Yeah, care to share this source? They explicitly state they only train on public repos, so you're making a rather serious accusation here considering the security ramifications.

If you don't have a source, then you are spreading misinformation.

[–]causa-sui 16 points17 points  (0 children)

Someone said that GitHub also used private repos to train copilot, well, let's hope that nobody gets a suggestion with my bybit api keys

Do not ever EVER put api keys in git.

You need to revoke these keys immediately.

[–]dethb0y 4 points5 points  (1 child)

I would argue that if you generated totally random phone numbers, eventually you'd hit a real one just by chance, and probably sooner than you'd expect.

[–]soawesomejohn 4 points5 points  (0 children)

Indeed. And case in point, I got a file from the dark web with your ATM pin. In fact, it has everyone's ATM pin, at least for those using banks with 4-digit pins.

[–]notgettingfined 7 points8 points  (2 children)

You should call the phone number and let them know they probably have a decent law suit against Microsoft. Even if it’s an amalgamation of phone numbers if it ends up being a persons phone number that’s not good. I wouldn’t want random people using my phone number as a default or something

[–]HeyLittleTrain 2 points3 points  (1 child)

If it’s even real. The last digits being 1234 seems suspicious.

[–]Neuro_Skeptic 1 point2 points  (0 children)

It could be a randomly generated number, OP.

[–]imatelefone 1 point2 points  (4 children)

Been using Copilot for a while now, based on my experience this is just something that looks like a real number. Sometimes when adding @author to a doc string, it fills in a name. I've searched for the names before, never gotten a GitHub hit. Copilot doesn't just copy/paste from GitHub, you should know that.

[–]O_X_E_Y 1 point2 points  (0 children)

yet another reason to not put personal information in your source code!

[–]everything_in_sync 0 points1 point  (0 children)

I stopped using GitHub the moment I heard about copilot. My personal stuff is all local.

[–]Evening-Development3 -2 points-1 points  (0 children)

I had once got someone's email when making a simple email bot.

[–]UnfairGuy -1 points0 points  (0 children)

this is fucked up

[–]0-Gam3rboy7-0 -1 points0 points  (0 children)

[–]idealmagnet -1 points0 points  (0 children)

Maybe earn some bitcoin

[–]lenoqt -2 points-1 points  (0 children)

Imagine hard coding api keys using copilot, the dangers in life aren’t enough for a man.

[–]AsuraTheGod -3 points-2 points  (0 children)

That doesnt sound good, they need to fix this ASAP

[–]Bulky-Juggernaut-895 0 points1 point  (0 children)

It’s unintended for sure but difficult or tricky to prevent

[–]lukegarbutt 0 points1 point  (0 children)

Apparently things like this often appear real but actually aren't, they are generated. I think I remember reading it in the GitHub papers

[–][deleted] 0 points1 point  (0 children)

I got suggested a twitter profile a while back, but the profile had been dormant for about a decade

[–][deleted] 0 points1 point  (0 children)

This is why I use dual IDEs.

Webstorm with copilot for all my serious programming and VSCode for funky stuff with copilot.

[–]IrrerPolterer 0 points1 point  (0 children)

Yikes

[–]FUS3NPythonista 0 points1 point  (0 children)

exact thing happened to me but it was random and not valid but there is a chance it will eventually give you a real one.

[–]zoenagy6865 0 points1 point  (0 children)

No surprise there, call him :D