A brand new vulnerability disclosed in GitHub may have uncovered hundreds of repositories liable to repojacking assaults, new findings present.
The flaw “may enable an attacker to take advantage of a race situation inside GitHub’s repository creation and username renaming operations,” Checkmarx safety researcher Elad Rapoport stated in a technical report shared with The Hacker Information.
“Profitable exploitation of this vulnerability impacts the open-source neighborhood by enabling the hijacking of over 4,000 code packages in languages equivalent to Go, PHP, and Swift, in addition to GitHub actions.”
Following accountable disclosure on March 1, 2023, the Microsoft-owned code internet hosting platform has addressed the difficulty as of September 1, 2023.
Repojacking, quick for repository hijacking, is a way the place a risk actor is ready to bypass a safety mechanism referred to as widespread repository namespace retirement and in the end management of a repository.
What the safety measure does is stop different customers from making a repository with the identical identify as a repository with greater than 100 clones on the time its person account is renamed. In different phrases, the mixture of the username and the repository identify is taken into account “retired.”
Ought to this safeguard be trivially circumvented, it may allow risk actors to create new accounts with the identical username and add malicious repositories, probably resulting in software program provide chain assaults.
The brand new methodology outlined by Checkmarx takes benefit of a possible race situation between the creation of a repository and the renaming of a username to realize repojacking. Particularly, it entails the next steps –
- Sufferer owns the namespace “victim_user/repo”
- Sufferer renames “victim_user” to “renamed_user”
- The “victim_user/repo” repository is now retired
- A risk actor with the username “attacker_user” concurrently creates a repository referred to as “repo” and renames the username “attacker_user” to “victim_user”
The final step is completed utilizing an API request for repository creation and a renamed request interception for the username change. The event comes practically 9 months after GitHub patched a comparable bypass flaw that would open the door to repojacking assaults.
“The invention of this novel vulnerability in GitHub’s repository creation and username renaming operations underlines the persistent dangers related to the ‘widespread repository namespace retirement’ mechanism,” Rapoport stated.
