GitHub Repojacking Bug Could've Allowed Attackers to Takeover Other Users' Repositories
Cloud-based repository hosting service GitHub has addressed a high-severity security flaw that could have been exploited to create malicious repositories and mount supply chain attacks.
The RepoJacking technique, disclosed by Checkmarx, entails a bypass of a protection mechanism called popular repository namespace retirement, which aims to prevent developers from pulling unsafe repositories with the same name.
The issue was addressed by the Microsoft-owned subsidiary on September 19, 2022 following responsible disclosure.
RepoJacking occurs when a creator of a repository opts to change the username, potentially enabling a threat actor to claim the old username and publish a rogue repository with the same name in an attempt to trick users into downloading them.
While Microsoft's countermeasure "retire[s] the namespace of any open source project that had more than 100 clones in the week leading up to the owner's account being renamed or deleted," Checkmarx found that this can be circumvented through the "repository transfer" feature.
The way this works is as follows -
- A threat actor creates a repository with the same name as the retired repository (say, "repo") owned by a user named "victim" but under a different username (say, "helper")
- "helper" transfers ownership of "repo" to a second account with username "attacker"
- "attacker" renames the account's username to "victim"
- The namespace "victim/repo" is now under the adversary's control
In other words, the attack hinges on the quirk that GitHub only considers as retired the namespace, i.e., the combination of username and repository name, permitting a bad actor to reuse the repository name in conjunction with an arbitrary username.
A successful exploitation could have effectively allowed attackers to push poisoned repositories, putting renamed usernames at risk of being a victim of supply chain attacks.
"If not explicitly tended, all renamed usernames on GitHub were vulnerable to this flaw, including over 10,000 packages on the Go, Swift, and Packagist package managers," Checkmarx researcher Aviad Gershon said.