A new vulnerability disclosed in GitHub could have uncovered hundreds of repositories at risk of repojacking attacks, new results present.
The flaw “could make it possible for an attacker to exploit a race ailment inside GitHub’s repository development and username renaming functions,” Checkmarx security researcher Elad Rapoport claimed in a technical report shared with The Hacker News.
“Successful exploitation of this vulnerability impacts the open up-source local community by enabling the hijacking of over 4,000 code offers in languages these types of as Go, PHP, and Swift, as nicely as GitHub actions.”
Next responsible disclosure on March 1, 2023, the Microsoft-owned code hosting platform has dealt with the issue as of September 1, 2023.
Repojacking, quick for repository hijacking, is a procedure where a threat actor is able to bypass a security mechanism identified as well known repository namespace retirement and ultimately management of a repository.
What the defense measure does is stop other consumers from making a repository with the identical title as a repository with extra than 100 clones at the time its user account is renamed. In other text, the combination of the username and the repository title is regarded “retired.”
Ought to this safeguard be trivially circumvented, it could enable menace actors to generate new accounts with the identical username and upload malicious repositories, possibly top to computer software provide chain attacks.
The new process outlined by Checkmarx will take edge of a prospective race affliction among the development of a repository and the renaming of a username to reach repojacking. Precisely, it entails the following ways –
The past stage is completed applying an API ask for for repository development and a renamed request interception for the username adjust. The improvement will come just about 9 months immediately after GitHub patched a related bypass flaw that could open up the doorway to repojacking attacks.
“The discovery of this novel vulnerability in GitHub’s repository generation and username renaming operations underlines the persistent hazards affiliated with the ‘popular repository namespace retirement’ system,” Rapoport claimed.
Located this report exciting? Abide by us on Twitter and LinkedIn to examine far more exceptional information we write-up.
Some parts of this short article are sourced from: