A brand new vulnerability disclosed in GitHub may have uncovered hundreds of repositories susceptible to repojacking assaults, new findings present.
The flaw “may permit an attacker to use a race situation inside GitHub’s repository creation and username renaming operations,” Checkmarx safety researcher Elad Rapoport stated in a technical report shared with The Hacker Information.
“Profitable exploitation of this vulnerability impacts the open-source group by enabling the hijacking of over 4,000 code packages in languages resembling Go, PHP, and Swift, in addition to GitHub actions.”
Following accountable disclosure on March 1, 2023, the Microsoft-owned code internet hosting platform has addressed the difficulty as of September 1, 2023.
Repojacking, quick for repository hijacking, is a method the place a menace actor is ready to bypass a safety mechanism referred to as well-liked repository namespace retirement and in the end management of a repository.
What the safety measure does is forestall different customers from making a repository with the identical identify as a repository with greater than 100 clones on the time its consumer account is renamed. In different phrases, the mixture of the username and the repository identify is taken into account “retired.”
Ought to this safeguard be trivially circumvented, it may allow menace actors to create new accounts with the identical username and add malicious repositories, probably resulting in software program provide chain assaults.
The brand new technique outlined by Checkmarx takes benefit of a possible race situation between the creation of a repository and the renaming of a username to realize repojacking. Particularly, it entails the next steps –
- Sufferer owns the namespace “victim_user/repo”
- Sufferer renames “victim_user” to “renamed_user”
- The “victim_user/repo” repository is now retired
- A menace actor with the username “attacker_user” concurrently creates a repository referred to as “repo” and renames the username “attacker_user” to “victim_user”
The final step is completed utilizing an API request for repository creation and a renamed request interception for the username change. The event comes almost 9 months after GitHub patched a related bypass flaw that would open the door to repojacking assaults.
“The invention of this novel vulnerability in GitHub’s repository creation and username renaming operations underlines the persistent dangers related to the ‘well-liked repository namespace retirement’ mechanism,” Rapoport stated.
