GitHub Repojacking Bug Let Hackers Take Control Over a GitHub Repository

A high-severity security flaw has been patched recently by GitHub on September 19, 2022, and it’s a cloud-based repository hosting service. By exploiting this vulnerability, malicious repositories could have been created and attacks on the supply chain could have been mounted.

This vulnerability has been named “RepoJacking” and was discovered by the experts at Checkmarx SCS (Supply Chain Security) team.

RepoJacking

RepoJacking is a technique that could be exploited by the threat actors to evade the “Popular repository namespace retirement” protection mechanism.

The RepoJacking technique is designed to take advantage of renamed repository URL traffic and redirect it to the attacker’s repository in order to steal data from it.

Using this method, the developers are prevented from dragging the unsafe repositories that bear the same name from the same repository.

In the case of GitHub, this flaw affected all usernames that had been renamed. There are more than 10,000 packages included on the following package managers:-

  • Go package managers
  • Swift package managers
  • Packagist package managers

Consequently, millions of users could have been infected with malicious code immediately as thousands of packages could have been hijacked by the threat actors instantly.

GitHub repositories can be hacked when their creators decide to rename their username alongside the release of the old username, and here in this instance the old username can still be registered under the new username.

Link Between GitHub Repository & Username

There is a unique URL associated with each GitHub repository, which is nested under the account of the user who created it.

In order to download a set of open-source files from a repository, you need to use the full URL of the repository that contains the open-source code.

When a user renames his or her account, what happens? GitHub supports renaming in such a case, displaying the following warning, noting that the rename has been approved, and all the old repository’s traffic will be redirected to the newly-named repository.

As a consequence of this change, users who have not been informed of the change will still be able to access the site.

According to the report, The attack relies largely on the fact that GitHub only considers the namespace as retired once it has been abandoned. If an attacker succeeded in exploiting this vulnerability, they might have been able to compel malicious repositories.

Evading GitHub Protection

In investigation of the use of the “Repository Transfer” feature, cybersecurity analysts at Checkmark researchers discovered the following bypass:-

  • “victim/repo” is a popular GitHub repository retired under the “popular repository namespace retirement” protection.
  • “helper_account” creates the “repo” repository
  • “helper_account” transfer ownership of the “repo” repository to “attacker_account.”
  • “attacker_account” rename its username to “victim.”
  • The new “victim” account (previously “attacker_account”) accepts the ownership transfer

Timeline

  • 1 Nov 21 – We found a way to bypass the GitHub namespace retirement  feature
  • 8 Nov 21 – We disclose the bypass findings to GitHub
  • 8 Nov 21 – GitHub acknowledged the bypass and replied that they are working on a fix
  • 24 Mar 22 – GitHub respond that they have fixed the bypass
  • 11 May 22 – We discover that the bypass is still exploitable and reported to GitHub
  • 23 May 22 – This attack was found active against open-source attack
  • 25 May 22 – This technique was published by a security researcher taking ownership of the attacks and was fixed shortly after by GitHub
  • 13 June 22 – we found additional vulnerability to bypass GitHub namespace retirement feature and reported to GitHub
  • 19 Sep 22 – GitHub fixed the vulnerability, classifies it as “High” severity, and grants us a bug bounty
  • 26 Oct 22 – Full disclosure

Cybersecurity experts strongly recommend that users should avoid using retired namespaces because they are no longer secure. Consequently, this will significantly reduce the attack surface, since other vulnerabilities may still exist within this mechanism.

Penetration Testing As a Service – Download Red Team & Blue Team Workspace

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.