How rogue GitHub apps could have hijacked countless repos • The Register


A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims’ source code repositories.

For nearly a week in late February and early March, malicious apps could have generated extended install tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developer repos. For example, if an application was granted read-only access to an organization or individual’s code repository, the application could easily escalate that read-write access.

This security flaw has since been patched and before criminals abused the flaw to, for example, modify code and steal secrets and credentials, according to Microsoft’s GitHub, which assured The register it is “committed to investigating reported security issues”.

That’s good news, because according to Aqua Security researchers, the exploit would have had a massive impact on “virtually everyone.” Indeed, this is a near-blow for the industry, as malefactors could have exploited the hole to exfiltrate cloud credentials from private repositories or potentially tamper with software projects.

“Every company that uses GitHub and has installed a GitHub app (essentially everyone) could potentially be affected by this,” Gal Singer, security researcher at Aqua wrote in an analysis this week. The cloud-native security firm privately alerted GitHub to fix the oversight.

“Following the report, we thoroughly investigated the bug to identify possible avenues of exploitation,” a GitHub spokesperson said, in response to questions about the bug. Instead of posting a security advisory for all to see, GitHub sent a notice to all of its customers, adding, “We have no evidence to suggest that GitHub or customer data has been affected.”

The GitHub Apps system allows apps to integrate with the source code warehouse so developers can add functionality, automate processes, and extend project workflows. These third-party apps can also be purchased and shared on the GitHub marketplace, and some of the most popular have thousands or even millions of installs.

GitHub apps authenticate using tokens, and according to Aqua, that’s where the problem lies.

Here’s how it’s supposed to work: GitHub apps create and use extended install tokens based on the permissions granted to them when a user or organization installs the app.

As Singer explained:

However, a flaw in GitHub’s own code between February 25 and March 2 could have been exploited by an application to generate a token with an overly permissive scope. This could have allowed an application, which should have generated a token that only allowed read access, to elevate the permission of write:user.

In the worst case, each newly generated token during this period could have been hardened to grant access to the application administrator, Singer noted:

The bug also highlights the greater security risk posed by third-party apps, libraries and packages to software supply chains, he added.

This echoes concerns shared by the boss of the Microsoft Security Response Center, as well as 82% of CIOs in a survey of 1,000 C-suite executives. ®


About Author

Comments are closed.