The cloud-based repository hosting service GitHub has addressed a vulnerability that could have been exploited by threat actors to takeover the repositories of other users.
The vulnerability was discovered by Checkmarx that called the attack technique RepoJacking. The technique potentially allowed attackers to infect all applications and code in the repository.
“Checkmarx SCS (Supply Chain Security) team found a vulnerability in GitHub that can allow an attacker to take control over a GitHub repository, and potentially infect all applications and other code relying on it with malicious code.” reads the post published by Checkmarx. “If not explicitly tended, all renamed usernames on GitHub were vulnerable to this flaw, including over 10,000 packages on the Go, Swift, and Packagist package managers. This means that thousands of packages could have been hijacked immediately and start serving malicious code to millions of users.”
The researchers discovered that the vulnerability resides in the “popular repository namespace retirement” mechanism and developed an open-source tool to identify and help mitigate the risk of exploitation of bugs in this mechanism.
In the RepoJacking attack, attackers claim the old username of a repository after the legitimate creator changed the username, then publish a rogue repository with the same name to trick users into downloading its content.
The “popular repository namespace retirement” mechanism was introduced by Github to prevent RepoJacking. According to the security measure, any repository with more than 100 clones at the time its user account is renamed is considered “retired” and cannot be used by others.
The combination of the username and the repository name is considered “retired.”
The Checkmark researchers discovered the following bypass that abuses the “Repository Transfer” feature:
The namespace “victim/repo” is now in the attacker’s control
The successful exploitation of the flaw could have allowed attackers to push repositories containing malicious code and launch supply chain attacks using renamed usernames.
“As shown with the previous bypass of this protection measure, successful exploitation enables the takeover of popular code packages in several package managers, including “Packagist,” “Go,” “Swift,” and more. We have identified over 10,000 packages in those package managers using renamed usernames and are at risk of being vulnerable to this technique in case a new bypass is found.” concludes the report.
“In addition, exploiting this bypass can also result in a takeover of popular GitHub actions, which are also consumed by specifying a GitHub namespace. Poisoning a popular GitHub action could lead to major Supply Chain attacks with significant repercussions.”
Below is the timeline for this issue:
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, RepoJacking)
[adrotate banner=”5″]
[adrotate banner=”13″]