Help Required in Bug Bounty [Leaking Private RSA & PGP Keys]

Today while hunting for vulnerabilities on a remote website i came up with .pem files that were exposed publicly online without any protection mechanism put to ensure that the leaking .pem files (contains private RSA and PGP keys) does not fall in wrong hands. I know that it is quite dangerous to put up such a sensitive information online that too specially without any protection mechanism involved. But, on a larger scale how does this impact their existing infrastructure? Any answer would be appreciated. Thank you. Found something similar https://securityaffairs.co/wordpress/63408/hacking/adobe-pgp-key-leak.html

In Assymetric encryption, Two keys are used for secure message transfer, b/w two parties with a algorithm.

Keys: Public key & Private key
As the name suggests Private, it is not shared among public and is kept on server side.

As Private key is encrypted by passphass, if by chance, it got leaked, attacker can’t use it to decrypt the encrypted messages.

If a attacker have both, private key and it’s passphase, then it can read all message which are being shared b/w server and client.

It is very difficult for a attacker to even brute force the passphase also, as it requires sample encrypted messages.

But then also, it is a high severity bug.

One question ?
How you are able to find .pem file on the remote target?

Hello,
Thank you for your answer. I used : filetype:pem pem intext:private Google dork to find .pem file on a remote target.

1 Like