GitHub flaw could have allowed attackers to takeover repositories of other users

A critical flaw in the cloud-based repository hosting service GitHub could’ve allowed attackers to takeover other repositories.

The cloud-based repository hosting service GitHub has addressed a vulnerability that could have been exploited by threat actors to takeover the repositories of other users.

The vulnerability was discovered by Checkmarx that called the attack technique RepoJacking. The technique potentially allowed attackers to infect all applications and code in the repository.

“Checkmarx SCS (Supply Chain Security) team found a vulnerability in GitHub that can allow an attacker to take control over a GitHub repository, and potentially infect all applications and other code relying on it with malicious code.” reads the post published by Checkmarx. “If not explicitly tended, all renamed usernames on GitHub were vulnerable to this flaw, including over 10,000 packages on the Go, Swift, and Packagist package managers. This means that thousands of packages could have been hijacked immediately and start serving malicious code to millions of users.”

The researchers discovered that the vulnerability resides in the “popular repository namespace retirement” mechanism and developed an open-source tool to identify and help mitigate the risk of exploitation of bugs in this mechanism.

In the RepoJacking attack, attackers claim the old username of a repository after the legitimate creator changed the username, then publish a rogue repository with the same name to trick users into downloading its content.

The “popular repository namespace retirement” mechanism was introduced by Github to prevent RepoJacking. According to the security measure, any repository with more than 100 clones at the time its user account is renamed is considered “retired” and cannot be used by others.  

The combination of the username and the repository name is considered “retired.”

The Checkmark researchers discovered the following bypass that abuses the “Repository Transfer” feature:

1. “victim/repo” is a popular GitHub repository retired under the “popular repository namespace retirement” protection.
2. “helper_account” creates the “repo” repository
3. “helper_account” transfer ownership of the “repo” repository to “attacker_account.”
4. “attacker_account” rename its username to “victim.”
5. The new “victim” account (previously “attacker_account”) accepts the ownership transfer

The namespace “victim/repo” is now in the attacker’s control

The successful exploitation of the flaw could have allowed attackers to push repositories containing malicious code and launch supply chain attacks using renamed usernames.

“As shown with the previous bypass of this protection measure, successful exploitation enables the takeover of popular code packages in several package managers, including “Packagist,” “Go,” “Swift,” and more. We have identified over 10,000 packages in those package managers using renamed usernames and are at risk of being vulnerable to this technique in case a new bypass is found.” concludes the report.

“In addition, exploiting this bypass can also result in a takeover of popular GitHub actions, which are also consumed by specifying a GitHub namespace. Poisoning a popular GitHub action could lead to major Supply Chain attacks with significant repercussions.”

Below is the timeline for this issue:

• 1 Nov 21 – We found a way to bypass the GitHub namespace retirement feature
• 8 Nov 21 – We disclose the bypass findings to GitHub
• 8 Nov 21 – GitHub acknowledged the bypass and replied that they are working on a fix
• 24 Mar 22 – GitHub respond that they have fixed the bypass
• 11 May 22 – We discover that the bypass is still exploitable and reported to GitHub
• 23 May 22 – This attack was found active against open-source attack
• 25 May 22 – This technique was published by a security researcher taking ownership of the attacks and was fixed shortly after by GitHub
• 13 June 22 – we found additional vulnerability to bypass GitHub namespace retirement feature and reported to the company
• 19 Sep 22 – GitHub fixed the vulnerability, classifies it as “High” severity, and grants us a bug bounty
• 26 Oct 22 – Full disclosure

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RepoJacking)

[adrotate banner=”5″]

[adrotate banner=”13″]