🚨 New GitHub Vulnerability Exposed! 🚨

A recent discovery by Checkmarx security researcher Elad Rapoport has unveiled a critical vulnerability in GitHub, potentially putting thousands of repositories at risk of repojacking attacks.

🔍 What’s the Vulnerability?

The flaw allowed attackers to exploit a race condition within GitHub’s repository creation and username renaming operations. Successful exploitation of this vulnerability impacted over 4,000 code packages in languages like Go, PHP, Swift, and GitHub actions.

📆 Disclosure and Resolution

Responsible disclosure took place on March 1, 2023, and as of September 1, 2023, GitHub, which is owned by Microsoft, has successfully addressed the issue.

🛡️ What is Repojacking?

Repojacking, short for repository hijacking, is a technique that enables threat actors to bypass security mechanisms and gain control of repositories. This puts the open-source community at risk.

🔐 The Protective Measure

GitHub had implemented a safeguard to prevent the creation of repositories with the same name as those with over 100 clones. This combination of the username and repository name is considered “retired.” However, if this safeguard were to be circumvented, it could lead to potential software supply chain attacks.

🤯 How Did the Vulnerability Work?

Checkmarx outlined a new method that exploited a race condition between repository creation and username renaming. The steps involved:

  1. The victim owns the namespace "victim_user/repo."
  2. The victim renames "victim_user" to "renamed_user."
  3. The "victim_user/repo" repository becomes retired.
  4. A threat actor, with the username "attacker_user," simultaneously creates a repository called "repo" and renames the username "attacker_user" to "victim_user."

🔗 Read the Full Article

For more details on this critical GitHub vulnerability, read the full article here.

Stay secure and keep your repositories safe! 🛡️🔒