Cloud-based repository internet hosting service GitHub has addressed a high-severity safety flaw that might have been exploited to create malicious repositories and mount provide chain assaults.
The RepoJacking approach, disclosed by Checkmarx, entails a bypass of a safety mechanism known as common repository namespace retirement, which goals to forestall builders from pulling unsafe repositories with the identical identify.
The problem was addressed by the Microsoft-owned subsidiary on September 19, 2022 following accountable disclosure.
RepoJacking happens when a creator of a repository opts to alter the username, doubtlessly enabling a menace actor to say the previous username and publish a rogue repository with the identical identify in an try to trick customers into downloading them.
Whereas Microsoft’s countermeasure “retire[s] the namespace of any open supply venture that had greater than 100 clones within the week main as much as the proprietor’s account being renamed or deleted,” Checkmarx discovered that this may be circumvented by means of the “repository switch” characteristic.
The best way this works is as follows –
- A menace actor creates a repository with the identical identify because the retired repository (say, “repo”) owned by a consumer named “sufferer” however beneath a unique username (say, “helper”)
- “helper” transfers possession of “repo” to a second account with username “attacker”
- “attacker” renames the account’s username to “sufferer”
- The namespace “sufferer/repo” is now beneath the adversary’s management
In different phrases, the assault hinges on the quirk that GitHub solely considers as retired the namespace, i.e., the mix of username and repository identify, allowing a foul actor to reuse the repository identify at the side of an arbitrary username.
A profitable exploitation might have successfully allowed attackers to push poisoned repositories, placing renamed usernames vulnerable to being a sufferer of provide chain assaults.
“If not explicitly tended, all renamed usernames on GitHub have been weak to this flaw, together with over 10,000 packages on the Go, Swift, and Packagist package deal managers,” Checkmarx researcher Aviad Gershon mentioned.
