GitHub's RepoJacking Vulnerability: Explained & Mitigated
No attachments for this post
A newly uncovered vulnerability within GitHub could let attackers exploit a race condition between the actions of repository creation and username renaming. This opens the door for a Repojacking attack, whereby popular repositories can be commandeered to spread harmful code. It's the fourth such method identified that can potentially sidestep GitHub's "Popular repository namespace retirement" safety feature. GitHub, once informed, has patched the issue.
RepoJacking in Detail
Repojacking is an attack where malefactors gain control of a GitHub repository by leveraging a loophole that makes renamed users susceptible. An attacker seizes a valid, often widely-recognized, GitHub namespace, a combination like "example-user/example-repo". The vulnerability arises when a username gets changed via GitHub's "user rename" feature.
Post-renaming, GitHub documentation clearly states that the old username can be taken by any other user. GitHub has a protective measure in place called the “popular repository namespace retirement” to counter misuse. If a repository has been cloned over 100 times when its user is renamed, that specific namespace (username and repository name) becomes “retired”, preventing others from using it.
Taking advantage of this loophole allows attackers to hijack more than 4,000 code packages in languages like Go, PHP, and Swift, and even GitHub actions. Some of these packages have received over 1,000 stars, indicating a potential widespread effect on a multitude of users and applications. Companies as large as Google and Lyft have been vulnerable to such attacks but have since taken corrective action after notification.
Breaking Down the New Exploitation
Elad Rapoport from Checkmarx SCS Group showcased how this bypass can be executed by nearly concurrently creating a repository and altering the username.
The exploit's sequence is:
- "victim_user/repo" is owned by a victim.
- The victim renames "victim_user" to "renamed_user".
- "victim_user/repo" is now retired.
- An attacker with the username "attacker_user" sets up a command to almost simultaneously create a "repo" and change the "attacker_user" username to the victim's old username, "victim_user".
This discovery is the fourth known method for Repojacking. Checkmarx previously found and reported two bypasses to this protective mechanism in 2022, which GitHub resolved. Joren Vrancken, an external researcher, identified a third bypass that year, which GitHub also rectified.
Users are advised to avoid using retired namespaces and monitor their code for any links to a GitHub repository susceptible to RepoJacking. Checkmarx’s open-source tool, ChainJacking, can also help identify if any Go lang direct GitHub dependencies are at risk.
In essence, while GitHub’s current protective measures are based on internal metrics and don't notify users of a namespace's protective status, it's essential for users to remain vigilant and proactive in ensuring their repositories are secure.
Comments on this post
No comments have been added for this post.
You must be logged in to make a comment.