GitHub Vulnerability Put Code Packages at Risk of Repojacking – Source: securityboulevard.com

A new vulnerability found in GitHub’s operations could have given bad actors another way of getting around the code hosting platform’s security protections and exposing thousands of code packages to being hijacked.

A hacker could have exploited the vulnerability to run a Repojacking attack by getting around GitHub’s popular repository namespace retirement mechanism, a tool put in place several years ago to protect developers from such attacks.

Checkmarx security researchers Elad Rapoport and Yehuda Gelb wrote in a report today the vulnerability discovered by the cybersecurity firm was the fourth unique way that has been identified to enable threat actors the ability to bypass GitHub’s security mechanism.

Checkmarx had found two of the three previous vulnerabilities last year; another researcher, Joren Vrancken, had found the other one, also in 2022.

In the latest case, Checkmarx researchers discovered the bug in March and informed Microsoft-owned GitHub, which fixed the vulnerability earlier this month.

However, the discovery of the flaw underscores the security challenges GitHub and other code repositories – including NPM and Python Package Index (PyPI) – are facing. Over the past couple of years, they’ve become popular targets for bad actors looking to launch software supply-chain attacks by placing their malicious codes onto the platforms in hopes that developers will inadvertently use them in their software and expose downstream users.

Hijacking Repositories

In this case, that avenue is Repojacking, which is short for repository hijacking. Hackers hijack popular repositories by exploiting an logical flaw involving the username in the repository’s namespace. The other half of the namespace is the repository’s name.

A developer can change the original username of the namespace and will be told that all traffic for the old repository’s URL will be redirected to the new one. They’re also told that after the username is changed, the old one can be claimed by anyone. That includes bad actors, who can open a repository under the matching repository name and hijack the namespace.

GitHub put its popular repository namespace retirement mechanism in place to block such a hijacking, retiring any repository with more than 100 clones at one time in the user account and ensuring it can’t be use by others. The combination of the username and repository name is no longer usable.

Cybercriminals who get around the security measure can create new accounts and upload malicious repositories. Cybersecurity researchers have found multiple ways to get around the popular repository namespace retirement mechanism. In June, Aqua Security analysts uncovered a range of repositories that were vulnerable to Repojacking, putting major companies like Google and Lyft at risk.

Checkmarx’s Rapoport and Gelb said if threat actors were able to exploit the latest vulnerability it would threaten more than 4,000 open-source developer code packages written in Go, Swift, and PHP that were using renamed usernames.

“In addition, exploiting this bypass can also result in a takeover of popular GitHub actions, which are also consumed by specifying a GitHub namespace,” they wrote. “Poisoning a popular GitHub action could lead to major Supply Chain attacks with significant repercussions.”

A Race Condition

The exploitation method uncovered by Checkmarx leverages a potential race condition between the creation of a repository and the renaming of a username. After the developer changes the username, the repository is retired.

However, the hacker uses an API request to almost simultaneously create a new repository and change the account’s username.

“The discovery of this novel vulnerability in GitHub’s repository creation and username renaming operations underlines the persistent risks associated with the ‘Popular repository namespace retirement’ mechanism,” the researchers wrote. “Many GitHub users, including users that control popular repositories and packages, choose to use the ‘User rename’ feature GitHub offers. For that reason, the attempt to bypass the ‘Popular repository namespace retirement’ remains an attractive attack point for supply chain attackers with the potential to cause substantial damages.”

Another issue is that GitHub’s protection is activated based on internal metrics and doesn’t give users an indication if it protects a particular namespace, leaving developers in the dark and some repositories and package unknowingly at risk, they wrote.