How to abuse GitHub Codespaces to deliver malicious content

Researchers demonstrated how to abuse a feature in GitHub Codespaces to deliver malware to victim systems.

Trend Micro researchers reported that it is possible to abuse a legitimate feature in the development environment GitHub Codespaces to deliver malware to victim systems.

Users can customize their project for GitHub Codespaces by committing configuration files to their repository, which creates a repeatable codespace configuration for all users of your project. Each codespace runs on a virtual machine hosted by GitHub. 

The codespaces supports a port forwarding feature that allows users to access and debug a web application that’s running on a particular port from their browser on a local machine.

Trend Micro researchers pointed out that developers can share a forwarded port privately within the organization or publicly. A public port can be accessed by anyone that knows the URL and the port number.

Threat actors can abuse this feature to host malicious content and share links to these resources in their attacks.

“To validate our hypothesis of threat modeling abuse scenario, we ran a Python-based HTTP server on port 8080, forwarded and exposed the port publicly. In the process, we easily found the URL and the absence of cookies for authentication.” reads the post published by Trend Micro.

“GitHub Codespaces typically forwards ports using HTTP, but developers can change any port to HTTPS if needed. Once a developer updates a publicly visible port to HTTPS, the port’s visibility will automatically become private. A quick look at threat intelligence platforms like VirusTotal will show the domain having no malicious history, diminishing the chances of blocking the download of malicious files if distributed via this domain.”

An attacker can create a simple script to automate the creation of a codespace with a publicly exposed port and use it to host malicious content. Experts explained that the process consists in creating a webserver with an open directory serving the malicious files and waiting for 100 seconds before deletion once they are downloaded.

“Using such scripts, attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their codespace environments. Since each created codespace has a unique identifier to it, the subdomain associated is unique as well. This gives the attacker enough ground to create different instances of open directories,” Trend Micro continues.

The good news is that the attack technique devised by the researchers has yet to be exploited in attacks in the wild.

“Cloud services offer advantages to legitimate users and attackers alike. It helps attackers scale their attacks quickly and easily, hide their tracks, and avoid detection by abusing legitimate services like GitHub Codespaces. ” the researchers concluded. The features offered to legitimate subscribers also become available to threat actors as they take advantage of the resources provided by the CSP [cloud service provider]. concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GitHub Codespaces)

[adrotate banner=”5″]

[adrotate banner=”13″]