GitHub fixes race condition that could have led to ‘repojacking’

Source link : https://tech-news.info/github-fixes-race-condition-that-could-have-led-to-repojacking/

JÃ¼rgen FÃ¤lchle – inventory.adobe.c

A delicate flaw in how GitHub dealt with repository creation and consumer renaming could have had critical penalties for the open supply neighborhood, however has now been mounted. Learn extra about the way it labored

Alex Scroxton,
Security Editor

Published: 13 Sep 2023 16:00

GitHub has mounted a race condition vulnerability in its repository creation and consumer renaming operations that could have enabled risk actors to carry out what is named a repojacking assault.
Discovered and disclosed by researchers from Checkmarx, had the flaw been exploited, it could have been used to take management of code repositories and hijack them to distribute malicious code. It would additionally have had unhealthy implications for the reputations of those that fell sufferer to it.
“Repojacking is a technique where an attacker takes control of a GitHub repository by exploiting a logical flaw that renders renamed users vulnerable,” wrote Elad Rapoport of Checkmarx.
“The attacker hijacks a legitimate, often popular, namespace on GitHub. A namespace is the combination of the username and repo name, for example: example-user/example-repo.”
Namespaces on GitHub change into weak to repojacking when the unique username is modified utilizing the “user rename” characteristic. When a GitHub consumer renames themselves, GitHub doesn’t arrange redirects for his or her outdated profile web page or Pages websites, however does create redirects for his or her repositories. Users are made conscious of this by way of a pop-up through the course of.
Unfortunately, in doing so, the outdated username additionally turns into accessible for anyone else to declare, so as soon as the consumer has been efficiently renamed, a malicious actor can declare their outdated username, open a repo beneath the matching repo identify, and hijack the namespace.
Other flaws on this course of have beforehand been recognized and stuck, and GitHub did have safety measures accessible – notably retiring standard repositories (these with greater than 100 clones on the time of renaming) so that the username couldn’t be taken.
However, Rapoport discovered he was ready to bypass these fixes by profiting from a race condition between the creation of a repository and the renaming of a username, by virtually concurrently doing each – utilizing an API request for repository creation and a renamed request interception for the username change.
“Successful exploitation enables the takeover of popular code packages in several package managers, including ‘Packagist,’ ‘Go,’ ‘Swift’ and more,” he mentioned. “We have recognized over 4,000 packages in these package deal managers utilizing renamed usernames and are prone to being weak to this system in case a brand new bypass is discovered. Of these packages in danger, lots of of them have garnered over 1,000 stars on GitHub.
“In addition, exploiting this bypass can also result in a takeover of popular GitHub actions, which are also consumed by specifying a GitHub namespace. Poisoning a popular GitHub action could lead to major supply chain attacks with significant repercussions.”
Although this repojacking situation has been mounted, it’s the fourth one discovered prior to now couple of years – three in 2022 alone – and Rapoport mentioned it spoke to persistent dangers related to the favored repository namespace retirement mechanism.
“Many GitHub users, including users that control popular repositories and packages, choose to use the ‘user rename’ feature GitHub offers,” he mentioned. “For that reason, the attempt to bypass the ‘popular repository namespace retirement’ remains an attractive attack point for supply chain attackers with the potential to cause substantial damages.”
In spite of the repair, Checkmarx is recommending that customers keep away from utilizing retired namespaces to minimise their assault floor, and ensure there aren’t any code dependencies that could go away a GitHub repository weak. It presents its personal open supply instrument, Chainjacking, which may help with this.