Private key in package matches real certificate for gruponu3.com (potential compromise) #2100
Description
While analyzing a repository that uses [email protected], I discovered that the file server.key, located inside the package, contains a private key that corresponds to an actual, still-valid certificate for the domain gruponu3.com.
To verify this, go to:
/packages/certs/browser-sync/server.key
Although this file might have been intended for local testing, the included private key matches a real certificate. Here's the certificate:
👉 https://crt.sh/?id=14787125511
You can confirm the match using:
openssl rsa -in server.key -noout -modulus | openssl md5
openssl x509 -in 14787125511.crt -noout -modulus | openssl md5
The MD5 hash of the modulus for both will be:
MD5(stdin)= d5c15082407cbef1518001f54bb93096
Even though the certificate has been marked as revoked (keyCompromise) by the CA, many major browsers and systems (Google, Mozilla, Microsoft) still accept it in practice.
In a previous security test, I was able to set up a working TLS server using the exposed key and certificate. A client (e.g., using curl) could establish a secure HTTPS connection successfully.
I highly recommend that the file be removed or replaced with a dummy key that does not match any real-world certificate.