Critical GitHub Vulnerability Exposes 4,000+ Repositories to Repojacking Attack

1 week ago 25

Sep 12, 2023THNSoftware Security / Vulnerability

Repojacking Attack

A caller vulnerability disclosed successful GitHub could person exposed thousands of repositories astatine hazard of repojacking attacks, caller findings show.

The flaw "could let an attacker to exploit a contention information wrong GitHub's repository instauration and username renaming operations," Checkmarx information researcher Elad Rapoport said successful a method study shared with The Hacker News.

"Successful exploitation of this vulnerability impacts the open-source assemblage by enabling the hijacking of implicit 4,000 codification packages successful languages specified arsenic Go, PHP, and Swift, arsenic good arsenic GitHub actions."

Following liable disclosure connected March 1, 2023, the Microsoft-owned codification hosting level has addressed the contented arsenic of September 1, 2023.


Repojacking, abbreviated for repository hijacking, is simply a method wherever a menace histrion is capable to bypass a information mechanics called fashionable repository namespace status and yet power of a repository.

What the extortion measurement does is forestall different users from creating a repository with the aforesaid sanction arsenic a repository with much than 100 clones astatine the clip its idiosyncratic relationship is renamed. In different words, the operation of the username and the repository sanction is considered "retired."

Should this safeguard beryllium trivially circumvented, it could alteration menace actors to make caller accounts with the aforesaid username and upload malicious repositories, perchance starring to bundle proviso concatenation attacks.

Repojacking Attack

The caller method outlined by Checkmarx takes vantage of a imaginable contention information betwixt the instauration of a repository and the renaming of a username to execute repojacking. Specifically, it entails the pursuing steps -

  1. Victim owns the namespace "victim_user/repo"
  2. Victim renames "victim_user" to "renamed_user"
  3. The "victim_user/repo" repository is present retired
  4. A menace histrion with the username "attacker_user" simultaneously creates a repository called "repo" and renames the username "attacker_user" to "victim_user"

The past measurement is accomplished utilizing an API petition for repository instauration and a renamed petition interception for the username change. The improvement comes astir 9 months aft GitHub patched a similar bypass flaw that could unfastened the doorway to repojacking attacks.

"The find of this caller vulnerability successful GitHub's repository instauration and username renaming operations underlines the persistent risks associated with the 'popular repository namespace retirement' mechanism," Rapoport said.

Found this nonfiction interesting? Follow america connected Twitter and LinkedIn to work much exclusive contented we post.

Read Entire Article