Risk of Repojacking Attacks: Github Exposes Thousands of Vulnerabilities

A recent GitHub vulnerability disclosure has revealed a potential risk for thousands of repositories, making them susceptible to repojacking attacks, as highlighted in current findings.

This vulnerability could have allowed an attacker to exploit a race condition within GitHub’s repository creation and username renaming procedures. 

Elad Rapoport, a security researcher from Checkmarx, shared this discovery and stated, “Successful exploitation of this vulnerability impacts the open-source community by enabling the hijacking of over 4,000 code packages in languages like Go, PHP, and Swift, as well as GitHub actions.”

Resolved? Yes, Following responsible disclosure on March 1, 2023, the Microsoft-owned code hosting platform addressed the issue as of September 1, 2023.

What is Repojacking?

Repojacking, an abbreviation for repository hijacking, involves a threat actor bypassing a security mechanism called “popular repository namespace retirement” and taking control of a repository.

This protective measure prevents others from creating a repository with the same name as one with more than 100 clones when the user account is renamed. Combining the username and the repository name is considered “retired.”

If this safeguard could be easily circumvented, it might allow threat actors to create new accounts with the same username and upload malicious repositories, potentially leading to software supply chain attacks.

Steps used in exploitation: Checkmarx-Specific

The repojacking attack method detailed by Checkmarx takes advantage of a possible race condition between repository creation and username renaming, following these steps:

• The victim owns the namespace “victim_user/repo.”
• The victim renames “victim_user” to “renamed_user,” causing the “victim_user/repo” repository to be retired.
• A threat actor with the username “attacker_user” simultaneously creates a repository called “repo” and renames the username “attacker_user” to “victim_user.”

This final step involves using an API request for repository creation and intercepting a renamed request for the username change. This discovery comes nearly nine months after GitHub patched a similar bypass flaw that could have exposed repositories to repojacking attacks.

Vigilance and Prevention Keep You Secure!

To safeguard against repojacking, organizations should avoid direct links to GitHub repositories, as these should not serve as package managers. Instead, employing dedicated package managers is advisable for enhanced security. 

However, without direct GitHub links, vulnerabilities can persist due to hidden dependencies. Vendoring, pre-downloading and including all dependencies in the repository can mitigate risks but require vigilant monitoring of dependency updates. 

Version pinning, associating specific versions with dependencies through SHA1 hashes, adds another layer of security. 

Yet, the most reliable defense against repojacking lies in adopting application security tools that provide rapid results, action plans, and seamless integration into DevOps environments, ensuring comprehensive protection.