Researchers uncover “high-severity” GitHub vulnerability
Researchers from the Checkmarx Supply Chain Security team have discovered a “high-severity” vulnerability in GitHub. Using a technique known as Repo jacking, attackers could take control of a GitHub repository by exploiting a logical “hidden” flaw in the architecture that makes renamed users vulnerable to attack.
All usernames, including more than 10,000 packages on the Go, Swift and Packagist package managers on GitHub, are vulnerable to the bug.
Repo Jacking is a technique that allows attackers to hijack the repository URLs traffic and smuggle it into the attacker’s repository by exploiting a logical bug that interrupts the original forwarding.
The vulnerable mechanism is identified as the “Popular repository namespace retirement.” Originally, GitHub Repositories have a unique URL that is nested under the user account that created the repository. Every time someone tries to download (clone) the open source repository, they use the full repository URL.
GItHub is username-linked, so GitHub supports renaming and displays warnings that traffic for the URL of the old repository will be redirected to the new one.
Once the warning is accepted and the username is renamed, GitHub automatically sets redirect rules from the URL of the old repository to the new URLs, which helps keep things running for users who are unaware of changing the username.
A GitHub repository is therefore vulnerable to Repo Jacking when its creator decides to rename its username as long as the old username is available for registration. The flaw allows attackers to create a new GitHub account using the same combination as the old repository URL used by existing users.
Should attackers take the above step, the default redirect is disabled and all existing traffic is immediately redirected to the attackers malicious GitHub repository.
There are already reports of attackers using the repo-jacking technique. Although this is a red hazard, it also highlights the ongoing evolution of hackers to develop their methods to find the simplest ways to use trusted open source packages for maximum impact.
To fix the bug and prevent malicious behavior, GitHub introduced the “popular repository namespace retirement” protection, which means that any repository with more than 100 clones is considered “retired” at the time of renaming its user account and cannot be used by others.
The sources for this piece include an article in SCMedia.
Check out this news on our Youtube channel where you will find the latest news on cyber security: https://bit.ly/3EtJstl