For a few days earlier this year, rogue GitHub apps could have hijacked countless repos

A bit of a near-hit for the software engineering world

A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

This is good news, because according to Aqua Security researchers, exploitation would have had a massive impact on "basically everyone." In effect, this is a near hit for the industry as miscreants could have exploited the hole to exfiltrate cloud credentials from private repos or potentially tamper with software projects.

"Every company that uses GitHub and has a GitHub App installed (basically everyone) could potentially be affected by this," Aqua security researcher Gal Singer wrote in an analysis this week. The cloud-native security company privately alerted GitHub to fix the oversight. 

"Following the report, we thoroughly investigated the bug to identify possible paths of exploitation," a GitHub spokesperson said, in response to questions about the bug. In lieu of publishing a security advisory for all to see, GitHub sent a notice to all of its customers, adding: "We do not have any evidence to suggest that GitHub or customer data was impacted."

The GitHub Apps system allows applications to integrate with the source-code warehouse so that developers can add features, automate processes, and extend projects' workflows. These third-party apps can also be bought and shared in the GitHub Marketplace, and some of the most popular ones have thousands if not millions of installs.

GitHub Apps authenticate using tokens, and according to Aqua herein lies the problem. 

Here's the way it's supposed to work: GitHub Apps create and use scoped installation tokens based on the permissions granted to them when a user or organization installs the app. 

As Singer explained:

For example, if you granted it access to read a user's profile data, the scoped token the app generates would have the 'read:user' permission.

However, a flaw in GitHub's own code between February 25 and March 2 could have been exploited by an app to generate a token with an overly permissive scope. This could have allowed an app, which should have generated a token that only allowed read-access, to elevate the permission to write:user.

In a worst-case scenario, every newly generated token during that time frame could have been stepped up to grant the app administrator access, Singer noted:

If a software vendor's private repository that contains their source code and intellectual property was leaked or deleted, this could literally mean the end of that company.

The bug also highlights the larger security risk posed by third-party applications, libraries, and packages to software supply chains, he added. 

This echoes concerns shared by the boss of the Microsoft Security Response Center, as well as 82 percent of CIOs in a survey of 1,000 such C-suite execs. ®

Broader topics

Other stories you might like

  • Arrogant, subtle, entitled: 'Toxic' open source GitHub discussions examined
    Developer interactions sometimes contain their own kind of poison

    Analysis Toxic discussions on open-source GitHub projects tend to involve entitlement, subtle insults, and arrogance, according to an academic study. That contrasts with the toxic behavior – typically bad language, hate speech, and harassment – found on other corners of the web.

    Whether that seems obvious or not, it's an interesting point to consider because, for one thing, it means technical and non-technical methods to detect and curb toxic behavior on one part of the internet may not therefore work well on GitHub, and if you're involved in communities on the code-hosting giant, you may find this research useful in combating trolls and unacceptable conduct.

    It may also mean systems intended to automatically detect and report toxicity in open-source projects, or at least ones on GitHub, may need to be developed specifically for that task due to their unique nature.

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading

Biting the hand that feeds IT © 1998–2022