A new vulnerability revealed in GitHub could have put thousands of repositories at risk of repojacking attacks, according to new findings.
The flaw “could allow an attacker to exploit a race condition in GitHub’s repository creation and username renaming operations,” said Elad Rapoport, a security researcher at Checkmarx. said in a technical report shared with The Hacker News.
“Successful exploitation of this vulnerability impacts the open source community by allowing the hijacking of more than 4,000 code packages in languages including Go, PHP, and Swift, as well as GitHub actions.”
Following a responsible disclosure on March 1, 2023, the Microsoft-owned code hosting platform resolved the issue on September 1, 2023.
Repojacking, short for repository hijacking, is a technique by which a malicious actor is able to bypass a security mechanism popularly known as repository namespace removal and ultimately take control of a repository.
The safeguard prevents other users from creating a repository with the same name as a repository containing more than 100 clones at the time their user account is renamed. In other words, the combination of username and repository name is considered “retired”.
If this protection were trivially bypassed, it could allow malicious actors to create new accounts with the same username and download malicious repositories, which could lead to software supply chain attacks.
The new method described by Checkmarx takes advantage of a potential race condition between the creation of a repository and the renaming of a username to achieve repojacking. More specifically, it involves the following steps −
- The victim has the namespace “victim_user/repo”
- Victim renames “victim_user” to “renamed_user”
- The “victim_user/repo” repository is now removed
- A threat actor with the username “attacker_user” simultaneously creates a repository called “repo” and renames the username “attacker_user” to “victim_user”.
The last step is accomplished using an API request for repository creation and a renamed request intercept for username change. The development comes nearly nine months after GitHub patched a similar bypass fault this could open the door to repojacking attacks.
“The discovery of this new vulnerability in GitHub’s repository creation and username renaming operations highlights the ongoing risks associated with the ‘remove popular repository namespaces’ mechanism,” Rapoport said.