Updated on 2022-10-30: GitHub fixes repo-hijack bug
Researchers at Checkmarx found a vulnerability, now addressed by GitHub, which allowed attackers to take control of code repositories because of a naming issue. Per The Record, thousands of GitHub users — including those in control of popular repositories and packages – opt to change their usernames, “leaving namespaces including their old usernames open to exploitation.” It’s because old usernames become available again for anyone to claim, create a matching repository name, and hijack the namespace. Also more at SC Media. Read more: GitHub resolves flaw allowing attacker to take over repository, infect all applications
Updated on 2022-10-27: GitHub Fixes Vulnerability That Could Have Allowed Account Takeover
Researchers from Checkmarx Supply Chain Security team found a vulnerability in GitHub that could be exploited to take control of GitHub repositories. The issue affects renamed GitHub accounts. GitHub has addressed the flaw.
- Make sure that you’re referencing the most current repository name for your GitHub requests. Monitor for redirected repositories and update your configuration to use the updated location as well as verify the intended packages are at that location. The vulnerability existed when a user renamed their repository, which caused redirects to be setup from the old name to the new, and someone else registered on GitHub with the vacated username, which removed the redirects, and that person now can deliver their package to systems expecting the moved one. GitHub now has a process whereby popular usernames, when changed, are retired so that you cannot activate a vacated username.
Read more in
- Attacking the Software Supply Chain With Simple Rename
- High-severity vulnerability in GitHub was susceptible to Repo Jacking
- GitHub Account Renaming Could Have Led to Supply Chain Attacks
Overview: GitHub vulnerability
Checkmarx researchers said they helped GitHub fix a vulnerability in a feature they launched this April that prevented threat actors from claiming old usernames and hijacking existing packages—a technique known as repojacking. If exploited, this vulnerability would have allowed attackers to carry out new repojacking attacks and execute supply chain attacks via legitimate projects. Read more: