New Vulnerability Exposes Thousands of GitHub Repositories to Repojacking Attacks
A recently disclosed vulnerability in GitHub has raised concerns about the security of thousands of repositories, putting them at risk for repojacking attacks. According to findings from Checkmarx security researcher Elad Rapoport, this flaw allows attackers to exploit a race condition in GitHub’s repository creation and username renaming processes.
The exploitation of this vulnerability poses a significant threat to the open-source community. Rapoport highlighted that it could lead to the hijacking of more than 4,000 code packages across various programming languages, including Go, PHP, and Swift, alongside vulnerabilities within GitHub actions. Such a breach could undermine the integrity of software that many developers rely upon.
Following a responsible disclosure on March 1, 2023, the issue has been addressed by Microsoft, GitHub’s parent company, as of September 1, 2023. Despite these mitigations, the revelation highlights ongoing risks associated with repository namespace security.
Repojacking, a term derived from repository hijacking, describes a method where malicious actors bypass a critical protection called “popular repository namespace retirement.” This mechanism is designed to prevent users from creating repositories with names previously associated with popular accounts, specifically those with over 100 clones at the time of account renaming. If this safeguard is compromised, it enables attackers to set up new accounts with the same usernames, subsequently uploading malicious repositories and potentially launching software supply chain attacks.
Checkmarx’s report elucidates how attackers can manipulate the timing between repository creation and username renaming. In a practical scenario, an attacker could simultaneously create a repository and rename their username to that of a victim whose namespace has just been retired. By using API requests for repository creation and intercepting the username change, they can effectively seize control of the victim’s namespace.
This vulnerability surfaces less than nine months after GitHub patched a similar flaw, showcasing the persistent security issues within the platform. Rapoport emphasized that the discovery of such a vulnerability in GitHub’s operations underscores the ongoing threats tied to the repository namespace retirement mechanism.
Cybersecurity professionals and business owners should remain vigilant. This incident illustrates how even established platforms like GitHub can be susceptible to sophisticated attacks and highlights the critical need for continuous security assessments. Understanding tactics such as initial access and persistence, as outlined in the MITRE ATT&CK Matrix, could provide valuable insights into preventing similar vulnerabilities in future implementations.
As GitHub and other platforms evolve their security measures, it is imperative for organizations to stay informed and equipped against emerging threats in the ever-changing landscape of cybersecurity.
