Repositories at Risk: How GitHub Nearly Allowed Mass Code Takeover

A new vulnerability was recently discovered on the GitHub platform, putting thousands of repositories at risk. This flaw allowed attackers to exploit a so-called “race condition” during the repository creation process and username changes.

Elad Rapoport, a security researcher at Checkmarx, stated: “Successful exploitation of this vulnerability affects open-source software, allowing the takeover of more than 4,000 code packages in Go, PHP, and Swift, as well as GitHub Actions.”

After responsible disclosure of the vulnerability on March 1, 2023, Microsoft-owned GitHub fixed the issue on September 1, 2023. As a result, GitHub users are no longer at risk from this specific vulnerability.

What Is RepoJacking?

The term “RepoJacking” describes a technique where a potential attacker can bypass the security mechanisms of a hosting platform and gain control over a targeted repository. In this GitHub vulnerability, attackers could create redirects to their malicious repositories by using legitimate but outdated namespaces. This method could have potentially led to software supply chain attacks.

Attack Scheme and Potential Damage

GitHub introduced a protection mechanism in 2018 that prevents the creation of a new repository with the same name if the original repository has more than 100 clones at the time of a username change. However, it was discovered that this protection could be bypassed due to the newly found vulnerability.

Notably, at the end of last year, GitHub had already fixed a similar vulnerability that could also have led to RepoJacking attacks.

Experts believe that the repository renaming mechanism carries a range of risks, and it’s possible that attackers may find new ways to exploit this feature in the future.

Source

Onion Market — a free P2P exchange on Telegram. We offer XMR, BTC, USDT, TRX, and TON.