Security researchers have discovered a new flaw in GitHub which they say could have enabled attackers to take control of repositories and spread malware to related apps and code.
Although GitHub has now fixed the bug in its “popular repository namespace retirement” feature, the same tool could be targeted by threat actors in the future, Checkmarx warned. In fact, a separate vulnerability in the same tool was exploited earlier this year, enabling hackers to hijack and poison popular PHP packages with millions of downloads.
Popular repository namespace retirement was created by GitHub to guard against so-called “repojacking.”
GitHub repositories have a unique URL connected to their creator’s user account. If users decide to rename their account, a new URL will be generated and GitHub will redirect traffic from the repository’s original URL.
“Repojacking is a technique to hijack renamed repository URLs traffic and routing it to the attacker’s repository by exploiting a logical flaw that breaks the original redirect,” explained Checkmarx.
“A GitHub repository is vulnerable to repojacking when its creator decided to rename his username while the old username is available for registration. This means attackers can create a new GitHub account having the same combination to match the old repository URL used by existing users.”
Popular repository namespace retirement was meant to put a stop to this by ensuring that any repository with more than 100 clones at the time its user account is renamed is considered “retired” and cannot be used or hijacked by others.
However, Checkmarx’s bypass of the protection measure could have enabled the takeover of popular code packages in several package managers including Packagist, Go and Swift.
“We have identified over 10,000 packages in those package managers using renamed usernames and are at risk of being vulnerable to this technique in case a new bypass is found,” the firm warned.
“In addition, exploiting this bypass can also result in a takeover of popular GitHub actions, which are also consumed by specifying a GitHub namespace. Poisoning a popular GitHub action could lead to major supply chain attacks with significant repercussions.”
Mike Parkin, senior technical engineer at Vulcan Cyber, argued that the bug could have had a severe impact.
“Thousands of projects with millions of end users rely on open source libraries and code repositories, which makes the repositories a very attractive target for threat actors. If they can take control of the repository and insert malicious code into a trusted and widely used project, they can potentially infect tens of thousands to potentially millions of hosts with little additional effort,” he added.
“This is especially true for older projects that may still be widely used but are not as actively maintained, as there are fewer eyes on the code so a malicious insertion could go unnoticed.”