1

Did something stupid, and asked a question on stackoverflow posted a little too much info without realizing it.

Is it a major security risk if your client_secret gets displayed for about 30 min - 1 hour on stack overflow before you notice it showing and you can remove it?

klj
  • 11
  • 1
  • 1
    Remember, even if you remove it, it will still be visible in revision history. – forest Aug 14 '19 at 01:24
  • Just deleted the whole question. Should that take care of the problem? – klj Aug 14 '19 at 01:32
  • 2
    No. People with 10k reputation can still view it. – forest Aug 14 '19 at 01:33
  • I'm afraid that Only your boss knows how your boss would respond. There are some idiotic ones out there that might hold things like this against someone. However, any half decent boss should take it in stride or at least get over it quickly. Accidents like this happen. The important part is how someone handles it next. Trying to fix it and notifying the right person is the correct move, and people who do that are the kind of people I like to work with. – Conor Mancone Aug 14 '19 at 02:00
  • He does seem to be on the more reasonable side. But this is my first real programming job so I don't want to screw things up. – klj Aug 14 '19 at 02:04
  • Reasonable bosses especially understand that people in their first programming job make mistakes. Bosses who get angry at new programmers for making new-programmer mistakes are bosses that you don't want to be working with in the long term. So I really wouldn't worry about it. If it helps, when I am interviewing people, one question I ask is "Tell me about some of your recent mistakes". I get stories far "worse" than this (I've done worse myself). The reason I ask the question is because people learn a lot from their mistakes, and the way they respond to them tells a lot about a person – Conor Mancone Aug 14 '19 at 09:25

1 Answers1

4

The only thing on Stack Overflow that might not be public forever is a comment. If you edit an answer or question all past versions are still available. Deleted questions and answers are still visible to mods as well as any user with enough rep. Even the chat sites retain permanent public transcripts. It's possible that you could have an admin actually remove something from the revision history, but I'm not 100% sure. In short, you should assume that anything you ever post to stackoverflow has permanently become public knowledge. So in this case, yes, change your client secret.

In general, if you were to post a secret to a public place for a brief period of time, only you can decide whether or not the "cost" of changing it outweighs the risk of someone using it. If the client secret protects something low-risk (imagine a Google maps API key that is only authorized for use from your server IP), then you may reasonably decide not to change it.

Personally though, unless the key is nearly impossible to change, I would change it no matter how short the exposure.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • According to the Meta Stack Exchange Q&As [Who has the privilege to delete a revision?](https://meta.stackexchange.com/q/86195/213468) and [Allow moderators to hide a revision](https://meta.stackexchange.com/q/191121/213468) Community Managers _were_ needed to remove traces of accidentally-exposed details, but now moderators can do it. However, it is probably still safest to change the key. – TripeHound Aug 14 '19 at 14:29