- Checkmarx SCS reported the vulnerability to GitHub and GitHub classified it as High severity and fixed the vulnerability.
- The vulnerability enables attackers to take control over a GitHub repository, and potentially infect all applications and other code relying on it with malicious code.
- The team identified over 10,000 packages in those package managers using renamed usernames and were at risk of being vulnerable to this technique.
The Checkmarx Supply Chain Security team discovered a vulnerability in GitHub. It allowed attackers to take control over a GitHub repository. The bug also allowed attackers to infect the repositories with malicious code. The team claims that all renamed usernames on GitHub were vulnerable to this flaw, which includes more than 10,000 packages on the Go, Swift, and Packagist package managers. This allows those packages to be hijacked and serve malicious code to millions.
RepoJacking
After Checkmarx reported the vulnerability, which was found in the mechanism named Popular repository namespace retirement, it was fixed and no longer exploitable. In GitHub, repositories have a unique URL, which is nested under the user account, who created the repository. Once it is cloned, they use the full URL. When a user decides to rename the account, and GitHub displays a warning that says that all traffic for the old repository’s URL will be redirected.
Once the warning is accepted and the username is renamed, the redirect rules are created from the old URL to the new one. RepoJacking aims to hijack the renamed repository URL traffic and route it to the attacker’s repository. It exploits a logical flaw to be able to break the original redirect. This technique is only available when a creator changes the username and the old one is available for registration. By creating a new user with the creator’s old username, the attacker matches the URLs between the repository name.
It disables the redirect and the traffic is routed to the attackers’ repository. GitHub introduced the Popular repository namespace retirement protection measure to avoid this, which considers retired any repository with more than 100 clones at the time its user account is renamed. On 19 September, GitHub fixed the vulnerability, classifies it as “High” severity, and awarded Checkmarx with a bug bounty. Checkmarx said,
« Many GitHub users choose to use the “User rename” feature GitHub offers, among them, users that control popular repositories and packages. For that reason, the attempt to bypass the “Popular repository namespace retirement” remains an attractive attack point for supply chain attackers with the potential to cause substantial damages. Moreover, it is interesting to notice that GitHub’s provided protection is activated based on internal metrics and gives the users no indication if a particular namespace is protected by it or not. This might leave some repositories and packages unknowingly at risk. »