ClickCease Researchers uncover "high-severity" GitHub vulnerability

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Researchers uncover “high-severity” GitHub vulnerability

Obanla Opeyemi

November 7, 2022 - TuxCare expert team

Researchers from the Checkmarx Supply Chain Security team have discovered a “high-severity” vulnerability in GitHub. Using a technique known as Repo jacking, attackers could take control of a GitHub repository by exploiting a logical “hidden” flaw in the architecture that makes renamed users vulnerable to attack.

All usernames, including more than 10,000 packages on the Go, Swift and Packagist package managers on GitHub, are vulnerable to the bug.

Repo Jacking is a technique that allows attackers to hijack the repository URLs traffic and smuggle it into the attacker’s repository by exploiting a logical bug that interrupts the original forwarding.

The vulnerable mechanism is identified as the “Popular repository namespace retirement.” Originally, GitHub Repositories have a unique URL that is nested under the user account that created the repository. Every time someone tries to download (clone) the open source repository, they use the full repository URL.

GItHub is username-linked, so GitHub supports renaming and displays warnings that traffic for the URL of the old repository will be redirected to the new one.

Once the warning is accepted and the username is renamed, GitHub automatically sets redirect rules from the URL of the old repository to the new URLs, which helps keep things running for users who are unaware of changing the username.

A GitHub repository is therefore vulnerable to Repo Jacking when its creator decides to rename its username as long as the old username is available for registration. The flaw allows attackers to create a new GitHub account using the same combination as the old repository URL used by existing users.

Should attackers take the above step, the default redirect is disabled and all existing traffic is immediately redirected to the attackers malicious GitHub repository.

There are already reports of attackers using the repo-jacking technique. Although this is a red hazard, it also highlights the ongoing evolution of hackers to develop their methods to find the simplest ways to use trusted open source packages for maximum impact.

To fix the bug and prevent malicious behavior, GitHub introduced the “popular repository namespace retirement” protection, which means that any repository with more than 100 clones is considered “retired” at the time of renaming its user account and cannot be used by others.

The sources for this piece include an article in SCMedia.

Check out this news on our Youtube channel where you will find the latest news on cyber security: https://bit.ly/3EtJstl

Summary
Researchers uncover "high-severity" GitHub vulnerability
Article Name
Researchers uncover "high-severity" GitHub vulnerability
Description
Researchers from the Checkmarx Supply Chain Security team have discovered a "high-severity" vulnerability in GitHub. Read more here
Author
Publisher Name
Tuxcare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023