github-repojacking-bug-could’ve-allowed-attackers-to-takeover-other-users’-repositories

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

GitHub Repojacking Bug Could’ve Allowed Attackers to Takeover Other Users’ Repositories

Cloud-based repository hosting service GitHub has addressed a high-severity security flaw that could have been exploited to create malicious repositories and mount supply chain attacks.

The RepoJacking technique, disclosed by Checkmarx, entails a bypass of a protection mechanism called popular repository namespace retirement, which aims to prevent developers from pulling unsafe repositories with the same name.

The issue was addressed by the Microsoft-owned subsidiary on September 19, 2022 following responsible disclosure.

RepoJacking occurs when a creator of a repository opts to change the username, potentially enabling a threat actor to claim the old username and publish a rogue repository with the same name in an attempt to trick users into downloading them.

While Microsoft’s countermeasure “retire[s] the namespace of any open source project that had more than 100 clones in the week leading up to the owner’s account being renamed or deleted,” Checkmarx found that this can be circumvented through the “repository transfer” feature.

The way this works is as follows –

  • A threat actor creates a repository with the same name as the retired repository (say, “repo”) owned by a user named “victim” but under a different username (say, “helper”)
  • “helper” transfers ownership of “repo” to a second account with username “attacker”
  • “attacker” renames the account’s username to “victim”
  • The namespace “victim/repo” is now under the adversary’s control

In other words, the attack hinges on the quirk that GitHub only considers as retired the namespace, i.e., the combination of username and repository name, permitting a bad actor to reuse the repository name in conjunction with an arbitrary username.

A successful exploitation could have effectively allowed attackers to push poisoned repositories, putting renamed usernames at risk of being a victim of supply chain attacks.

“If not explicitly tended, all renamed usernames on GitHub were vulnerable to this flaw, including over 10,000 packages on the Go, Swift, and Packagist package managers,” Checkmarx researcher Aviad Gershon said.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

How to Craft Rich Data-Driven Infographics with Powered Template

How to Craft Rich Data-Driven Infographics with Powered Template

We’re living in a data-driven world, and this means that it’s imperative to share information in the most engaging and…
Meta Fined €265 million in Facebook Data Scraping Case in the EU

Meta Fined €265 million in Facebook Data Scraping Case in the EU

Ireland’s Data Protection Commissioner (DPC) has placed yet another fine of €265 million ($277 million) on Meta following Facebook’s data…
Critical Flaw Exploited to Bypass Fortinet Products and Compromise Orgs

Critical Flaw Exploited to Bypass Fortinet Products and Compromise Orgs

While performing routine monitoring, Cyble’s Global Sensor Intelligence (GIS) discovered a threat actor is distributing unauthorized access to several Fortinet…