GitHub vulnerability allows hackers to hijack thousands of open-source packages
#1
Written by Alicia Hope

Published: November 14, 2022


Checkmarx Security researchers disclosed a GitHub vulnerability that allows threat actors to hijack and poison thousands of open-source packages with millions of users.

Dubbed RepoJacking (repository hijacking), the vulnerability affects a GitHub namespace retirement feature that protects repositories of renamed user accounts.

Security experts warned that the critical vulnerability could lead to widespread software supply chain attacks affecting millions of users.



GitHub vulnerability allows users to reclaim renamed accounts


Checkmarx Supply Chain Security team discovered that the logical flaw allows a GitHub user to recreate a GitHub repository identical to one on a renamed account.

GitHub had tried to prevent this exploit by marking a repository with more than 100 clones as retired at the time its user account is renamed. However, the platform allows users to reclaim renamed usernames, although it prevents them from creating repositories matching those that previously existed under that username.

According to the researchers, GitHub considers the username and repo name combinations as a namespace that cannot be reclaimed. However, threat actors discovered a method to circumvent this limitation by creating matching repos under a different username and renaming their account to the targeted renamed username.

“A GitHub repository is vulnerable to repojacking when its creator decided to rename his username while the old username is available for registration. This means attackers can create a new GitHub account having the same combination to match the old repository URL used by existing users,” Checkmarx security researchers Jossef Harush and Aviad Gershon wrote.

Hijacking the namespace prevents the GitHub retirement tool from redirecting users to the renamed open-source package’s new URL. Instead, it transfers them directly to the reclaimed package under the threat actor’s control.



GitHub vulnerability affects over 10,000 open-source packages


Checkmarx researchers found that the GitHub vulnerability affected all renamed usernames on GitHub and repositories in most package managers. So far, the cybersecurity firm has identified over 10,000 packages in Go, Swift, and Packigist package managers using renamed usernames.

Mostly affected are programming languages that pull open-source packages directly from the source control system, such as PHP, and users who had bookmarked the renamed open-source packages.

The researchers warned that the GitHub vulnerability would lead to the takeover of popular code packages and the distribution of malicious codes to millions of users, causing widespread supply chain attacks.

“The practical meaning of this is that thousands of packages can immediately be hijacked and start serving malicious code to millions of users and many applications,” they wrote.

“Thousands of projects with millions of end users rely on open source libraries and code repositories, which makes the repositories a very attractive target for threat actors,” said Mike Parkin, Senior Technical Engineer at Vulcan Cyber.

Checkmarx discovered the GitHub vulnerability in November 2021 and informed the parent company Microsoft. On March 2022, GitHub reported that it had fixed the flaw. However, Checkmarx discovered that the repository transfer feature was still exploitable in May 2022 and shared its findings with GitHub.

However, GitHub had yet to patch the vulnerability at the time of disclosure. The Atlanta, Georgia-based application security company went public after a “reckless security researcher” hijacked three open-source packages by exploiting the popular repository namespace retirement tool.

Checkmarx published a Chainjacking tool for Go developers to determine if they were using vulnerable open-source packages in their projects. The security firm also created a monitoring system to detect attempts to hijack the GitHub vulnerability until the platform implements the necessary mitigations.

Tim Mackey, Principal Security Strategist at Synopsys Cybersecurity Research Center, said that GitHub users should define the end-of-life for the open-source packages they maintain.

“This includes having trusted individuals as owners or group accounts and defining a GitHub successor – in addition to publishing explicit end-of-life or deprecation statements.”

Mackey advised developers against relying on the historical popularity of a source-code package when starting a new project. Instead, they should confirm that the repository is healthy and actively maintained.

“Healthy projects can be determined by the project’s GitHub Insights and looking at the Code Contributors and Code Frequency data. If the project is popular, and there is limited activity or the activity is limited to a handful of contributors, then that project isn’t as healthy as its popularity might indicate.”

According to Mackey, threat actors prefer unhealthy but popular open-source packages.

Melissa Bischoping, Director, Endpoint Security Research at Tanium, said that the prevalence of open-source packages and shared libraries across enterprises posed the greatest risk of repojacking.

“If developing software, it is essential to audit the code in those repositories, as well as create your own private fork to work (as opposed to pulling from the current public repository),” she said.



https://www.cpomagazine.com/cyber-securi...-packages/
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Czechia: Thousands of protesters demand government dismissal in Prague Resurgence 0 5,657 Nov 18, 2022, 14:19 pm
Last Post: Resurgence
  Wi-Fi security hack allows drones to see through walls Resurgence 0 5,391 Nov 11, 2022, 13:47 pm
Last Post: Resurgence
  Israeli intelligence company cyberattacked by Iraqi hackers Resurgence 0 6,508 Jun 30, 2022, 02:03 am
Last Post: Resurgence
  Thousands rally in Madrid against NATO Summit Resurgence 0 6,301 Jun 28, 2022, 01:21 am
Last Post: Resurgence
  Thousands queue to apply for Russian citizenship in Melitopol Resurgence 0 5,457 Jun 21, 2022, 01:28 am
Last Post: Resurgence



Users browsing this thread: 1 Guest(s)